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XBRL Revolution Has 
Begun for Reporting 

Financial information spec emerging 



BY DAVID WORTHINGTON 

Extensible Business Reporting 
Language (XBRL) is poised to 
revolutionize financial reporting 
and analysis in the United 
States — provided stakeholders 
react favorably to a draft of the 
XBRL US GAAP Taxonomies. 
Its acceptance could clear the 
way for a mandate from the U.S. 
Securities and Exchange Com- 
mission later this year. 

The draft, published on Dec. 
5 by XBRL US, a consortium 
dedicated to the standard s adop- 
tion in the United States, is under 
public review until the comment 
period ends on April 4, 2008. 
XBRL US is encouraging audi- 



tors, investors, financial analysts, 
public company preparers and 
software providers to participate. 

XBRL is an emerging XML- 
based standard to define and 
exchange business and financial 
performance information and is 
governed by the not-for-profit 
international consortium XBRL 
International. The taxonomies 
provide a set of tags that represent 
Generally Accepted Accounting 
Principles (GAAP) for financial 
reporting. 

Both the European Union 
Central Bank Supervisors and 
the U.S. Federal Deposit Insur- 
ance Corp. have adopted XBRL 
continued on page 26 ► 



Coghead to Flex With 
Amazon's Services 



BY ALEX HANDY 

It seems that old FileMaker 
applications never die, they just 
move onto a server underneath 
someone's desk. In an effort to 
eliminate such legacy data- 
driven applications, Coghead 
has moved its Web application 
development environment onto 
the Adobe Flex platform, and 
reinforced its online offerings 
with Amazon's hosted services. 

Developers searching for a 
quick and connected way to 
replace aging spreadsheets and 
Microsoft Access applications 
might seek out Coghead's rich 
client, which according to the 
company serves as both a devel- 
opment and a runtime environ- 
ment for SaaS-like applications. 




The various projects that users are building inside Coghead can be managed 
centrally from within the multipurpose Coghead client. 



The client software enables 
drag-and-drop application de- 
sign, and backs it up with SaaS- 
style hosting in Coghead's 



servers. But with version 2.0, 
those servers have been trans- 
ferred into Amazon's cloud of 
continued on page 20 ► 



New Roles, Rules Take Getting Used To 
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R.I.P. NETSCAPE 

Saying goodbye to the Web 
browser that once defined 
the Internet. 

page 27 



Dealing with 'people' issues hardest part of agile adoption 



The Impact of Agile 



BY JENNIFER DEJONG 

Every organization that embarks 
on agile development finds itself 
in uncharted territory. Bosses no 
longer call the shots. Analysts, 
developers and testers team up 
and wear one another's hats. And 
business stakeholders are asked 
to participate in software pro- 
jects more fully than ever before, 
often putting their day jobs on 
hold. Navigating these new roles 
and rules of agile organizations 
feels unfamiliar, and often 
uncomfortable. 

That's the conclusion SD 



Times reached based on inter- 
views with more than 20 analysts, 
consultants, developers and tool 
makers involved in agile projects. 

One of the first things teams 
discover is that existing job roles 
correspond with project stages of 
waterfall development: analysis, 
architecture, coding and testing. 

That's a poor fit for agile, 
where team members are asked 
to do a little bit of everything, 
said IBM Rational practice 
leader for agile development 
Scott Ambler. "Agile teams need 
generalizing specialists." But that 



role is hard to come by, he said. 
Instead, teams struggle to align 
outdated roles with the new 
development approach. "What 
happens to the business analyst?" 
Ambler said. "Agile says: 'Do 
analysis 20 minutes a day. The 
rest of the time you write code.' 
That is pretty tough." 

It's so tough that some agile 
teams choose not to adhere to 
that particular practice, said Ray 
Goodman, a senior vice president 
for inventory software developer 
Direct Tech, which adopted 
Scrum a couple of years ago. "In 




SECOND OF A 
THREE-PART 



JAN. 1: Agile Changing Everything 
TODAY: New Roles, Rules Required 
FEB. 1: Putting a Slant on Tools 



theory, Scrum team members 
pick the tasks they want to do," he 
said. But in reality, people stay 
within their areas of expertise. 
"We have user interface experts, 
continued on page 29 ► 



IN THIS ISSUE 

IBM Donates Accessibility Framework to Eclipse 6 

Veracode Tightens Guard at Back Door 11 

Sybase Refreshes Workspace Tooling 12 

JSR 317 Persistently Improving 18 

Software AG Continues SOA Buying Spree 24 

Nexthaus Ships Beta of iPhone Sync Client 31 




Microsoft Inadvertently 
Ships Deleted Files page 5 

O'BRIEN: Crushed by Technical Debt? 39 

BINSTOCK: Patterns as an Anti-Pattern? 39 

LINTHICUM: Have You Made Your SOA Resolutions? ... .41 
RUBINSTEIN: Sticking to It 42 






Ybur potsntiut. Our passion* 







■L: v ■■■ J'ji HT ^L 

^BP- ri He ^IB^ u.^p 

1" 1 ^0F** n 

1 X ^Hf v .i 





J 




isual Studio 









/ 















+ r 




PVbT f ■* 



k 



'3 '. 



f 






% 



ARE COMING 



Unleash your in, 



d j :i ^ ^ r 



Serend.CQrnMiaihUp* 



www.sdtimes.com 



. Software Development Times . January 15, 2008 



NEWS 



Microsoft Inadvertently Ships Deleted Files 

Disk image with evaluation software not properly wiped 



BY DAVID WORTHINGTON 

New technology may not 
always carry the seeds of 
destruction, but the possibility 
for a good pantsing is always 
there. 

Microsoft's use of virtual 
machines to distribute evalua- 
tion versions of software saves 
the end user much of the pain 
of having to configure test sys- 
tems. However, it also intro- 
duces a new quality control 
issue by exposing the full 
dimension of data that was on 
the system when the virtual 
machine's disk image was cre- 
ated. Last month, that issue 
caught Microsoft off guard. 

The company began making 
disk images, or Virtual Hard 
Drives (VHDs), with evaluation 
versions available on a limited 
basis in 2005 and more general- 
ly accessible through Microsoft 
TechNet in November 2006, 
and had provided a way for 
partners to build their own 
prepackaged software stacks, 



-. 



rikB- ■ ■«■ 



til ^ 9 



WlTSuJt It DOB 




■ >■- _* 

+ B '■»■> 






1* \-.W "h 

mvxa 

EL-ftfl i- 

BE Tt'^S ,l rf i W 



I liili^MlimMlh 









in#Bi.i in****-* 



■■■"■■• ">'■ ■'*■■ 



■ 



"1 ■■ ■« 




, . . r _ L _ L . 



iiiiibi ■ ■ iiiiiibmii m i *■ 

K K»*T>iJP. I P. "XI Mkl. **-lp lTTJBJ.I IIU3MP1 1 . 

■1 i-****.* *xa «;k h-f4^ «Vrw«:i irjuwHi 

Kb'^flL.l 4+KI mib-,, m^ iT|TKIJ-l IU.7BH3 I 



Microsoft deleted a copy of Whitney Defrag before it shipped the Internet 
Explorer VHD. 



The VHD also contains a picture of an unidentified woman. 



using the Virtual PC technology 
it acquired from the now- 
defunct Connectix in 2003. 

Last month, SD Times 
learned that at least one of the 
machine images available for 
download at TechNet did not 
have its free space wiped, and 
files thought deleted proved 
recoverable from an evalua- 













'It is almost as if they 
didn't know any better, 
but they certainly do. ' 

—Theresa Lanowitz, analyst 
and founder of Voke 
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tion copy of the Internet 
Explorer Application Compat- 
ibility VPC Image. 

Although there didn't 
appear to be anything sketchy 
in that disk image, SD Times 
did observe what appeared to 
be a deleted third-party boot- 
time defragmenter program. 

It also appeared that a Win- 
dows XP (with Service Pack 2) 
CD had been copied to the 
virtual PC's hard drive and 
deleted. If the person that 
made the image deleted the 
XP files as the last thing she 
did, it might be possible to 
recover the entire CD. But in 
this case, other files were pre- 
sumably added to the image 



after the deletion, thus over- 
writing many files. 

A Microsoft spokesperson 
was unavailable when asked if it 
had a policy on how to prepare 
a VHD for distribution. 

Voke analyst and founder 
Theresa Lanowitz remarked 
that it appears as if Microsoft 
lacked proper quality control. 
"It speaks to the process being 
not clearly defined. There are 
so many instances of things like 
that in the past," she said. 

Lanowitz speculated about 
the consequences if Microsoft 
had left some sort of confiden- 
tial or proprietary information 
on the VHD and it got out and 
was propagated across the Web. 
"If it was someone else's source 



code, it would be a violation of 
IP at the point," she said. 

"Microsoft has been the 
quintessential software distrib- 
uting company for decades. 
This is one of the things you 
would expect to see [with unsu- 
pervised rookie developers] but 
not from a company like 
Microsoft. It goes back to QC 
best practices; virtualization or 
not, there is always a security 
risk you've got to be able to 
manage." She continued, "It is 
almost as if they didn't know any 
better, but they certainly do." 

Lanowitz added that man- 
agement and security are areas 
that have to be kept in mind as 
the industry moves down the 
virtualization path. I 



Whitehurst Dons Red Hat Crown 

Red Hat brings in former Delta Airlines COO as new president and CEO 



BY JEFF FEINMAN 

Red Hat announced that Jim 
Whitehurst has been named 
the company's president and 
CEO, taking up the position on 
Jan.l. 

Whitehurst had been serv- 
ing as COO, and in other roles, 
for Delta Airlines since 2002, 
and was the vice president and 
director of the Boston Consult- 
ing Group prior to that. He 
succeeds Matthew Szulik, who 
said he was stepping down 
from his post due to family 
health issues. 

With the change in leader- 
ship, analysts say that Red Hat's 
main focus needs to be main- 
taining the momentum of the 
JBoss application server. 
"They're competing with signif- 



icant players there: Microsoft, 
IBM, Oracle, BEA and SAP as 
the 'super-platform' players," 
said Anne Thomas Manes, vice 
president and research direc- 
tor at Burton Group. "The 
JBoss application server is 
more widely deployed than any 
other application server with 
the possible exception of IBM 
WebSphere. For Red Hat, it is 
wonderful to have an open 
source alternative to the offer- 
ings of the major commercial 
vendors." 

Szulik joined Red Hat in 
1998, and will remain chairman 
of the board of directors. "For 
nearly a decade, Matthew Szu- 
lik's vision and leadership legit- 
imized free, open source soft- 
ware as an innovative and 



profitable business model," not- 
ed William Kaiser, lead director 
of Red Hat's board of directors, 
in the announcement. "From 
Red Hat's early days as a small, 
private company, Szulik trans- 
formed Red Hat into a globally 
recognized brand whose 
approach to technology devel- 
opment and customer service 
has redefined the software 
industry." 

According to Red Hat offi- 
cials, Whitehurst's operational 
experience with a global com- 
pany such as Delta will help 
Red Hat continue to maintain 
annual revenues of over US$1 
billion. A native of Columbus, 
Ga., Whitehurst handled sales, 
operations, customer service 
and network and revenue man- 



agement in his COO role at 
Delta. He graduated from Rice 
University with a bachelor's 
degree in computer science and 
economics. 

"Red Hat has changed the 
way people consume technolo- 
gy," Whitehurst said in a state- 
ment. "This is an outstanding 
company that I feel privileged 
to join. Our outlook is positive 
with strong technology, great 
people, solid management and 
a global brand. Red Hat leads 
the software industry in deliv- 
ering value to its customers. I 
welcome this opportunity to 
lead Red Hat into the future." 

Additionally, Red Hat 
announced total revenue of 
$135 million for its third fiscal 
quarter ending Nov. 30. That 




Jim Whitehurst, pictured, succeeds 
Matthew Szulik, who remains on the 
board of directors as chairman. 

total was an increase of 28 per- 
cent from the same quarter a 
year ago and 6 percent over 
the previous quarter. Sub- 
scription revenue was $115.7 
million, up 30 percent from a 
year ago. I 
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NEWStBRIEFS 



COMPANIES 



Open source business intelligence provider JasperSoft has 
announced that its iReport graphical report and dashboard design 
tool now has the capability to work with j ^ 5 p f R JSO F T 
the NetBeans 6.0 IDE. iReport for Net- ^ir 

Beans can be deployed into custom desktop and Web applications, 
along with the JasperServer Web-based reporting server . . . Grid.org 
reported that in its first month of existence, it had signed up almost 
500 members and recorded more than 900 downloads of the initial 
beta of its free open source Cluster Express project. A second beta 
became available in December, and further enhancements to the 
Grid.org community site are expected in the first quarter of 2008. 



NEW PRODUCTS 



JEDA Technologies, which provides electronic system level design 
tools, has announced the availability of NSCvCC, a code coverage 
product for C/C++ and SystemC designs. It is built on top of NSCv, 
JEDA's native SystemC verification environment. 



UPDATES 



* has released version 5.1 of 

ATTUNITY Attunit Y Integration Suite. The i 

version comes with a channe r 



Rally Software has released Rally 2007.7, its agile project man- 
agement tool. The latest version of the tool comes with improved 
release burndown charts for predicting when releases will be ready 
for delivery, simplified notifications rules so users can be notified of 
only the changes that matter to them, and a new Web services API 
. . . Dundas Data Visualization has released Dundas Chart for 
SharePoint 1.5, a charting component designed specifically for 
Microsoft's SharePoint portal technology. The new version of the 
chart comes with the ability to automatically apply financial and 
statistical formulas within the SharePoint design user interface, 
along with the capability to send data to other SharePoint Web 
Parts . . . Palamida, a provider of open source software risk man- 
agement tools, has expanded its Vulnerability Reporting Solution 
detection capabilities to include 431 open source security alerts 
. . . Application and data integration software company Attunity 

has released version 5.1 of its 

1 new 

version comes with a change data 
capture technigue called continuous CDC, which supposedly 
enables extract and load tools to use standard SQL query and con- 
tinuously feed only changed data records for processing . . . Eiffel 
Software has released EiffelStudio 6.1, the latest version of its IDE. 
EiffelStudio 6.1 brings new features such as basic elements of the 
ISO standard attached type mechanism, which company officials 
said will allow programmers to guarantee the absence of null point- 
er dereferencing. Another new feature in the updated version is 
nonconforming inheritance, which Eiffel officials said would provide 
more flexible inheritance capabilities . . . Xtenit, which focuses on 
e-mail and content management, has announced the release of the 
Xtenit Subscriber API, an XML request and response protocol for 
use in customized applications developed with JavaScript, portlets 
and other Web 2.0 tools. The company claims that by using the API, 
applications will automatically maintain session data for easy con- 
trol of subscriber login activity and status . . . Open source ERP 
specialist xTuple has announced the gener- -v 
al availability of version 2.3 of xTuple '* t V- Jt? 
Applications, PostBooks and OpenMFG. Application* 
The company provides ERP tools built on open source components, 
including the Open RPT report writer, the PostgreSQL database and 
the Qt toolkit for C++. 



_L 



PEOPLE 



_L 



Jared Richardson has joined 6th Sense Analytics as an agile coach 
and software development evangelist. In early 2007, Richardson 
founded AgileRTP, the agile users group in North Carolina's Research 
Triangle Park. In his new position, Richardson will help 6th Sense cus- 
tomers integrate the company's tools into their process. I 



IBM Accessibility Framework 
Now Accessible via Eclipse 

First piece to be delivered, aiBrowser, 
helps visually disabled with video content 



BY ALEX HANDY 

With a lot of help from IBM, 
Eclipse is making Web sites 
more accessible to the visually 
impaired. 

IBM in December began 
contributing pieces of its 
Accessibility Tools Framework 
to the Eclipse Foundation. 
Over the next six months, the 
company hopes to make the 
entire framework available, 
including validation and test- 
ing tools for assessing the 
usability of Web sites for the 
disabled. 

The Eclipse Foundation 
now has under its umbrella 
IBM's ai Browser, which allows 
embedded video content to 
be made more accessible to 
users with visual disabilities, 
but future code drops 
will greatly expand the frame- 
work. 

Mike Squillace, software 
engineer at IBM, said that 
the framework adheres to 
IBM's internal accessibility 
guidelines, which he said 
were stricter than those man- 
dated by the federal accessi- 
bility guidelines, also known 



as section 508 of the U.S. 
Rehabilitation Act. 

He said the Accessibility 
Tools Framework — known 
internally as ACTF — is "basi- 
cally two things: First, it's a 
collection of software com- 
ponents that can be used by 
developers to build accessibili- 
ty tools. It includes visualiza- 
tion engines, validation en- 
gines and a screen reader. We 
give you a validation engine 
that can validate a Java appli- 
cation against a certain set of 
guidelines, like section 508. 
We also give you the ability to 
extend those guidelines," said 
Squillace. 

Being blind, Squillace is 
keenly aware of the current 
shortcomings of the Web. 
Most notably, he said, was the 
fact that Adobe Flash applica- 
tions embedded in the Web 
are to him a black hole. With 
few to no accessibility stan- 
dards or facilities built into 
Flash, many sightless users 
can't parse the information 
stored in Flash files. 

While ACTF doesn't yet 
solve the Flash problem, 



IBM's Tokyo-based develop- 
ment teams have managed 
to ensure that users with mini- 
mal visual capabilities can 
use video players embedded in 
Web browsers. 

The aiBrowser, which is the 
first piece of the framework to 
have arrived as an open source 
project, can be used to 
make the controls on video 
players larger and easier to 
handle. Tiny play buttons, said 
Squillace, can befuddle dis- 
abled users who may have 
trouble finding on-screen cues 
or controlling a mouse 
accurately. 

The validation engines in 
the Accessibility Tools Frame- 
work will be arriving at the 
Eclipse Foundation over the 
next six months. Squillace said 
he hopes that the framework 
will help make accessible Web 
sites easier to develop. 

In the future, Squillace and 
his team also hope to extract 
the validation engines from 
Eclipse and build them into 
a standalone application that 
can be used in nightly test 
batteries. I 




Guido Corona is a blind IBM employee who uses the company's accessibility technology. 
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Make Foresight 20/20. 



Alternative thinking is "Pre" Precaution. Preparation. Prevention. 
Predestined to send the competition home quivering. 

It's proadfvely designing □ way to ensure higher quality in your 
applications to help you reach your business goals. 

Ifs understanding and lockrng down requirements ahead of 
time — because "Well, I guess we should W just doesn't cut it. 

Ifs quality management software designed to remove the 
uncertainties and perils of deployments and upgnjdes, feavTng 
you free to came up with the next big thfng, 
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Collaboration Key at Canadian College 



BY JEFF FEINMAN 

Even when she's entrenched in a 
computer science lab in western 
Canada, Daniela Damian is seek- 
ing ways to leap across continents. 

Damian, an associate profes- 
sor in the department of com- 
puter science at the University 
of Victoria in British Columbia, 
is leading a research lab to 
improve software collaboration 
upon IBM's Jazz collaboration 
platform. The university has 
developed two prototype tools 
that address challenges involv- 
ing project complexities and 
geographic distribution. 

Given an IBM Jazz Faculty 
Grant back in mid-October, uni- 
versity students and faculty are 
doing investigations into ways 
that software teams on the glob- 
al level can achieve an ideal col- 
laboration setting. They're using 
two features of Jazz, the Related 
Contributors Recommender 
and the Feature Awareness 
Team Explorer, to help team 
members keep track of exper- 
tise, and visually understand 
social and artifact relationships. 

"Our prototypes try to mine 
relationships from the develop- 



ment environment and present 
them to a developer," Damian 
said. "It's information that's in 
the system and in the environ- 
ment, but it's not at their finger- 
tips. So we want to put it at their 
fingertips." 

TO GRAPH OR NOT TO GRAPH 

The prototypes will be displayed 
and delivered either in the form 
of a graph visualization or as a 
list. The graph visualization has 
already been built, but more 
user tests will be conducted to 
make sure that is the best form 
of display. It shows the number 



of artifacts that a development 
team member is working on, and 
the people associated with those 
artifacts. People are grouped and 
identified by artifacts, whether 
they are a piece of code, a work 
item, a requirement or a feature. 
"If I work on code that is 
related to a work item that some- 
one else worked on as well, then 
they are visualized in that graph 
for me," Damian said. "If some- 
one else gets assigned to a work 
item, and that person's in Ottawa 
and I'm in Victoria, I may not 
know that that person got 
assigned also. The system would 



find that out and visualize [it]." 

The main benefit that Jazz 
brings, Damian said, is trace- 
ability links between artifacts 
and people that are already 
held within the system. 

The tool then leverages those 
links and computes the elements 
of the graph and displays it to the 
developer. What the university's 
research is attempting to do, she 
said, is to identify the scope of 
that network and find the 
boundaries of collaboration. All 
tasks are related to some degree, 
and the research is focusing on 
the related contributors to a 



developer's current work. 

The University of Victoria was 
one of three universities to 
receive IBM Jazz Faculty Grants, 
the others being the University of 
California, Irvine and the Univer- 
sity of British Columbia. The 
Irvine team is exploring the use of 
multimonitor environments to 
improve project awareness and 
development practices. The Uni- 
versity of British Columbia has 
built an extension of Jazz called 
the Emergent Expertise Locator 
Tool, which helps software devel- 
opment collaboration in a team 
environment. I 



PERL 5.10 BOASTS FASTER EXPRESSIONS 



BY ALEX HANDY 

On Dec. 18, Perl turned 20 years 
old. To honor the anniversary, 
the Perl community released 
version 5.10 of the language. The 
new version brings a host of new 
commands and features to the 
Perl world, including state vari- 
ables for subroutines and the 
ability to build named captures 
in regular expressions. 

For developers still using Perl 
5.8.x, the new version of the lan- 



guage rolls up all the previous 
bug fixes into a single install 
package. 5.10 includes a newly 
added switch statement, which 
uses a "given, when" format. 

Another change in 5.10 
makes it easier to build recursive 
patterns. Inside of those pat- 
terns, developers can now build 
named capture buffers, making 
it easier to work with data. 

Perl creator Larry Wall is cur- 
rently working on Perl 6.0, a ver- 



sion of the language that has been 
in development for a number of 
years now. In September, Wall 
wrote about Perl 6.0 in his annu- 
al "State of the Onion" address. 

"A couple of years ago," he 
noted, "Tim O'Reilly asked me 
what great problem Perl 6 was 
being designed to solve. This 
question always just sat in my 
brain sideways because, apart 
from Perl 0, I have never 
thought of Perl as the solution to 



any one particular problem. If 
there's a particular problem that 
Perl is trying to solve, it's the 
basic fact that all programming 
languages suck. Sort of the con- 
cept of original sin, applied to 
programming languages." 

The new version of Perl isn't 
the only part of the celebration. 
Developer Michael Schwern has 
ported Perl 1.0 to modern com- 
pilers for nostalgia's sake and 
pushed the whole stack into a Sub- 
version repository at svn.unix 
beard.net/richardc/perl/perl-1. 1 




Sharing, the Future of Technology. 



For the first time, ResultSpace is available to IT services providers and in-house software 
development teams. The secret behind Sapient's industry-leading track record in global 
application delivery, ResultSpace is designed specifically for organizations using Agile/Lean 
methods. It is a tool, and a set of complimentary services, that leverages Sapient's extensive 
user experience design capabilities, to create a scalable, highly usable set of Application Life- 
cycle Management (ALM) features. With a scale and quality that is unmatched by any ALM vendor, 
and supported by Sapient services, ResultSpace can improve your software delivery capability. 

Visit us at www.resultspace.com or e-mail info@resultspace.com. 
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Introducing the Perforce 
Plug-in for Eclipse 

Work with Perforce from within your 
Eclipse-based IDE. 

The Perforce Plug- in for Eclipse pravktas devetopers with easy access lo 
Perforce SCWlfroni within tfrieir Eclipse-bossd IDE. Funclicnality includes: 

■ Quick access la complete file history 

- Full s-uppon of colSobofarfve development wilh Fhe ability 10 merge filers 

■ Aoillly 1o work oHiine when connection to ihe Perforce Server ti onavoikible 

- Ekilll-m file compare uliliPy -and deFee.1 tracking support 

- Supports 1he relacloring functionality of Ihe Edi pse environment 



The Perlorea Plug-In for- Edlp** supports bolh Windows 
and Linux, and is gust one of Ihe many integralions 

inert come with the Perforce SCM System, 
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Download a free copy of Perforce, no questions 

asJwd, from www.perfarn.corrr. Trw tachnfcal support is 
available throughout your evaluation. 
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IBM Beefs Up Data Studio With Developer-Focused Tooling 



BY P.J. CONNOLLY 

Data management is becoming 
a hot-button issue for many 
developers, with a growing con- 
cern over how data is handled 
and the emergence of regulato- 
ry schemes meant to provide 



standard controls on the use of 
data, whether inside the data 
center or outside. Perhaps the 
most important consideration, 
however, remains the scalability 
of an application in a world of 
ever-expanding datasets. 



IBM took a step in that direc- 
tion last month when it updated 
its IBM Data Studio, which was 
introduced in October at the 
company's Information on 
Demand conference in Las 
Vegas. The initial release, a free 



download that supported IBM 
data servers, was described by 
Grant Hutchison, Data Studio 
product manager, as an exten- 
sion of the Eclipse Data Tools 
Project, with extra capabilities 
designed specifically for IBM's 
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DB2 and Informix data servers. 
But new this time around 
are IBM Data Studio Develop- 
er and a pureQuery runtime for 
IBM Data Studio, designed to 
provide developers with what 
Hutchison called a "highly opti- 
mized Java data access frame- 
work." He later noted, "Data 
access becomes the key point 
when you start scaling up appli- 
cations, and [many] frameworks 
don't really address that." 

A FAMILY AFFAIR 

IBM Data Studio will eventual- 
ly be a family of products, he 
said, incorporating existing 
tools such as Rational Data 
Architect, and extending sup- 
port to data servers from other 
companies. 

"One of the aspects of pure- 
Query is to take the power of 
the SQL language and bring it 
into the Java programming 
environment in a way that 
makes it very easy for Java 
developers to use," he 
explained. "When result sets 
are returned from this pure- 
Query- type SQL, the results 
become a collection of Java 
objects, so it's very easy for a 
Java developer" to use. 

"When it's time to roll out 
these applications," he contin- 
ued, "there's a deployment 
option that allows you to not 
just execute the application in a 
dynamic SQL way... we allow 
them to deploy into static SQL, 
a preoptimized access plan 
that's supported across the DB2 
family. That gives better appli- 
cation performance, better gov- 
ernance and an improved secu- 
rity model. 

"Data Studio Developer 
extends the development envi- 
ronment for Java projects," he 
claimed. "That could be done 
with Data Studio Developer on 
its own, and integrate that with 
whatever your Java IDE is, or 
you can install Data Studio 
Developer into the latest ver- 
sion of Rational Application 
Developer." Using the static 
access plan in DB2, he noted, 
"gives you a much more 
resilient response time; it's 
more predictable, because the 
queries are not being looked at 
every time they're executed." 

The pureQuery runtime, he 
added, "gets deployed with 
your applications into your Java 
application servers, whether 
they're WebSphere or another 
application server." I 
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Veracode Tightens Guard at Back Door 



Software-as-a-service tool handles new forms of intrusions 



BY JEFF FEINMAN 

Veracode has updated its Secu- 
rityReview software security 
testing tool to offer new back- 
door detection capabilities. 

Veracode executives say it 
can take several weeks to dis- 
cover a back door inserted into 
software, leaving the application 
vulnerable to intruders. The 
new version of Security Review, 
released in mid-December, pro- 
vides better detection of back- 
door intrusions and malicious 
code, according to Veracode. 
SecurityReview is a software-as- 
a-service security tool that Vera- 
code officials claim is the indus- 
try's first on-demand security 
services on the market. 

Some of the back-door tech- 
niques that the updated Vera- 
code tool can help guard 
against include special creden- 
tial back doors, which occur 
when an attacker inserts logic 
and special credentials into the 
program code, and hidden 
functionality back doors, which 
allow attackers to issue com- 
mands without proper authen- 
tication, Veracode officials said. 

"The special credential 
backdoor is definitely the most 
commonly found, and it could 
be because it's fairly simple," 
said Chris Wysopal, CTO of 
Veracode. "At some point, it 
goes through the normal autho- 
rization functionality of the pro- 
gram, so you can trace back 
from there to find static values 
in the program. 

"The hidden functionality is 
a little bit more difficult to 
find," continued Wysopal. "We 
look for signs that someone is 
trying to obfuscate the changes 
they made to the code. This is a 
common technique people use. 
Instead of putting the password 
in an embedded string, they 
might make it look like it's ran- 
dom data, and when data is 
obfuscated within the binary, 
that sort of raises the flag in our 
analysis that there could be 
something there." 

Wysopal said that one com- 
mon hidden functionality tech- 
nique that Veracode frequently 
finds in customer code is when 
debugged code is left enabled 
in the binary; whether inten- 
tional or otherwise, it's still a 
large vulnerability, he said. 

The updated Veracode ser- 
vice also defends against rootkits, 



which can signal that a back door backdoors. Additionally, the tool outbound connections to estab- 

may be present. Rootkits can can now scan for unintended lish a command and control 

subvert functions of the operat- network activity such as listening channel, or leaking sensitive 

ing system and are used to hide on undocumented ports, making information over the network via 



SMTP, HTTP or other protocols. 
Wysopal said that code audits 
are a good way to find back 
doors, but that automated activi- 
ties can also be a great help in 
uncovering them. Simply grep- 
ping the source base for back - 
door vulnerabilities can serve as 
a useful test before building an 
application, he added. I 
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Sybase Refreshes Workspace Tooling 



Eclipse-based framework adds code generation and data migration 



BY P.J. CONNOLLY 

Just in time for the holiday slow- 
down, Sybase delivered updated 
tooling in a new version of its 
Workspace IDE that was aimed 



at supporting the company's 
flagship database, as well as oth- 
er parts of the product lineup. 

Workspace 2.0 is available 
now and was updated with sup- 



port for Sybase Adaptive Server 
Enterprise 15, including such 
features as DDL generation and 
ad hoc data migration and query 
capabilities. The new release, 



based on Eclipse 3.3, also incor- 
porates technology through 
plug-ins that borrow from the 
Eclipse Data Tooling Platform 
(DTP) and Services Kit. 




As Sybase product manager 
Loren Corbridge explained, "A 
lot of our interest and a lot of our 
focus for Workspace, particular- 
ly with this release, is on the 
database side. We're putting a 
lot more emphasis on IQ for this 
release and going forward." 

The ability to generate code 
from data objects will prove 
helpful, according to Cor- 
bridge. "You can pull the 
objects out of an existing data- 
base, and generate the script 
for them and then save those 
using Eclipse... off to a source- 
code control system." 

Corbridge, speaking of the 
data migration features, noted 
that "a lot of our customers on 
the ASE side" had requested it. 
"They want to be able to easily 
take data out of one database, 
and put it into another. This is 
critical for developers who are 
doing unit testing; as they go, 
they've got to be able to see 
what happens to the data, and 
inevitably the data you're using 
becomes all corrupt and 
messed up by the testing... and 
you need to be able to refresh it 
repeatedly." 

The editing and debugging 
tools are a source of pride to 
Corbridge, who noted, "The 
debugger is really fabulous; in 
fact, it's one of the few that real- 
ly handles temp tables. It will 
handle the creation and solu- 
tion of temporary tables, it will 
show you the values that are in 
that temp table, it will show you 
results as they're coming 
through and how different tem- 
porary variables and global vari- 
ables are changing as you're 
stepping through stored proce- 
dures in the debugger. It's real- 
ly quite sophisticated." 

The new release also allows 
users to create and manage 
Sybase Search servers, and pro- 
vides broad support for notifica- 
tion of real-time database 
events. Corbridge said he 
expects that developers used to 
working with hard-copy data 
models would appreciate the 
immediate visibility that Work- 
Space 2.0 offers. "We have a 
visual SQL builder that allows 
you to go in without having to 
know what columns are in your 
table, and. . .visually pick and get 
a window directly into the data- 
base. You've got your data mod- 
el on one tab and your query and 
all the other things you're doing 
with development, or the 
debugger, on another tab." 

Workspace 2.0 is available 
now, and pricing begins at 
US$495 per seat. I 
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Arxan GuardIT 3.0 puts blocks into code that can make it difficult for hackers to decompile 
applications in debugging programs like IDA Pro. 

Arxan Locks Code With 
Binary Insertion Engine 



BY ALEX HANDY 

For enterprise software developers, pira- 
cy is not typically the first concern. But for 
developers working with the U.S. Depart- 
ment of Defense or other government 
agencies, anti-piracy tools aren't just nec- 
essary, they can mean the difference 
between winning a contract and present- 
ing again next year. Arxan has learned a 
great deal about dealing with military con- 
tracts, and in GuardIT 3.0, the company 
offers many new paths to protecting the 
information inside of software, and pre- 
venting reverse engineering. 

"GuardIT is a binary insertion engine 
that works on your EXEs and DLLs," 
explained Mike Dulaney, a software engi- 
neer with Arxan. "It injects small units of 
code into the binary to secure it against 
various threats. We don't focus on buffer 
overflows or SQL injections; we focus on 
stopping software from being pirated." 

That doesn't mean Arxan's technology 
is applicable only to vendors. Using 
GuardIT 3.0, developers can insert specif- 
ic reactions that can be triggered when 
reverse engineering is detected. For 
example, the software barriers GuardIT 



installs into an application can detect 
when a debugger is being used. "We use 
things like software breakpoint detection 
to tell if the software's been passed with 
breakpoints inserted," said Dulaney. 

Thus, a developer using GuardIT to 
insert such detection could then trigger a 
reaction, such as the movement of critical 
data to a new point in memory or the 
encryption of core functionality. 

Perhaps most intriguing for military 
contractors, however, are some of the 
more heavyweight reactions that can be 
triggered by GuardIT If a guarded appli- 
cation is being reverse-engineered, devel- 
opers could include commands that poll 
for an IP address, then send home critical 
information about the system and its loca- 
tion to a central server. Or, a guarded 
application could be triggered to delete 
encryption keys, a feature the Depart- 
ment of Defense considers a high priority, 
said Dulaney. 

GuardIT 3.0 arrives on Jan. 17, and 
adds the ability to work with Linux as well 
as Windows. GuardIT can protect C, C++ 
and Fortran applications, and is priced on 
a customer-by-customer basis. I 



Coverity's Static Analysis 



BY DAVID WORTHINGTON 

Coverity again is helping to unwind the 
intricacies of multithreaded applications 
and make testing for concurrency 
defects more automated and less like 
threading a needle. 

An update to Coverity Prevent SQS 
(Software Quality System), released last 
month, introduces concurrency defect 
detection capabilities for C, C++ and 
Java applications. The new technology 
identifies deadlocks, race conditions and 
thread blocks that may lead to applica- 



tion bottlenecks and failures, or infor- 
mation loss. 

An interface was added to help devel- 
opers understand the interleavings that 
exist in multithreaded applications and 
manifest the possible executions of a 
parallel program. 

Coverity chief technology officer Ben 
Chelf explained that Prevent SQS uses 
deep interprocedural analysis to under- 
stand how locks that protect access 
points in parallel programming are 
acquired in a codebase. That ability is 
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SOFTWARE FX CHARTS NEW 
COURSE FOR COMPONENT SUITE 



BY DAVID WORTHINGTON 

It stands to reason that 
labeling a product that 
works with Microsoft Visu- 
al Studio 2008 "for 2005" 
is likely to create confu- 
sion. With that in mind, 
Software FX has rechris- 
tened its latest update 
"Chart FX 7." 

Chart FX 7, released 
Dec. 11, uses the same 
API as Chart FX for Visual 
Studio 2005 to maintain 
full compatibility with 
existing Windows Forms 
and Web Forms produc- 
tion code. With this 
release, Software FX inte- 
grated its charting and data visualization 
tools with Visual Studio 2008 to provide 
design-time parity with its Visual Studio 
2005 installation. 

What's more, Chart FX Gauges, 
Extensions Pack and Grid FX (the com- 
pany's technology for creating graphical 
and tabular data in enterprise Web appli- 
cations) are slated to support Visual Stu- 




The new name is more in line 
with future announcements, 
says Software FX's Garcia. 



dio 2008 during Ql 2008. 
In a prepared state- 
ment, Stephen Potter, 
Grid FX architect and lead 
developer, explained that 
the extensibility mecha- 
nism within Visual Studio 
2008 differs from the 2005 
version, prompting the 
company to change the 
way it makes use of those 
facilities to integrate its 
software. 

"Not only is the name 
more appropriate now 
that we have two versions 
of Visual Studio in the 
market, but it is more in 
line with future product 
announcements coming from Software 
FX," said Rene Garcia, president of Soft- 
ware FX, in a prepared statement. "As 
with any new version of a major develop- 
ment tool like Visual Studio, the adoption 
curve will take some time and we wanted 
to prevent unnecessary confusion from 
customers looking for a solution for Visu- 
al Studio 2008." I 




Chart FX 7 integrates with Visual Studio 2008. 



Erases Race Conditions 



coupled with Coverity's SAT (as in 
Boolean Satisfiability) engine to reduce 
instances of false positives. 

The SAT engine — concerned with 
whether a Boolean expression has a 
solution — debuted in September 2007 
as a complement to the company's data 
flow analysis engine. 

Chelf said that the advantage of using 
static analysis to test for concurrency 
defects is that developers do not need to 
worry about the particulars of schedul- 
ing while testing. "It removes depen- 



dence on scheduling variables," he said. 
"To remain competitive, software 
companies need to support multicore 
hardware, which will make multithread- 
ed applications inevitable for most 
developers," Theresa Lanowitz, founder 
of analyst firm Voke, said in a prepared 
statement. "The challenge for develop- 
ers is that multithreaded applications 
add complexity to the application life 
cycle, requiring new expertise and tech- 
nology to maintain application quality 
and security." I 
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Major Browsers No Longer Drop Acid2 Test 

Internet Explorer 8 and test builds of Firefox 3.0 offer stricter adherence to W3C standards 



BY DAVID WORTHINGTON 

The practice of developers opti- 
mizing for a single Web brows- 
er is almost extinct, as browser 



makers, including Microsoft, 
are becoming sticklers for stan- 
dards. Perhaps nothing under- 
scores that point more than 



Internet Explorer 8 passing a 
key standards test. 

In mid-December, the 
Internet Explorer 8 product 



team declared a milestone on 
its IEBlog: The browser had 
passed the Web Standard Pro- 
ject's Acid2 browser test. The 
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Acid2 test is a page written to 
help browser vendors ensure 
that Web standards are sup- 
ported correctly. 

A Microsoft spokesperson 
said that one of the goals for 
IE8 was to support the "right 
set of standards" without break- 
ing the existing Web. "Success- 
fully rendering Acid2 is an 
important landmark for IE 8 as 
it highlights the interoperabili- 
ty, standards compliance and 
backwards compatibility that 
we're committed to for this 
release," Microsoft added. 

The company anticipates 
that it will ship an IE 8 beta 1 in 
the first half of the year; addi- 
tional milestones will be deter- 
mined by developer feedback. 

IE8 is not the only browser 
to pass the Acid2 test. Prelimi- 
nary builds of Gran Paradiso, 
the code name for Firefox 3.0, 
also render the page correctly, 
displaying its "smiley face" 
without any hiccups. The 
Opera browser has passed the 
test since version 9. 

Mike Shaver, Mozilla's chief 
evangelist, explained that mar- 
ket demand and the resurgence 
of non-IE browsers provide the 
simple explanation for a stricter 
adherence to standards among 
vendors. According to Shaver, 
developers are building Web 
applications for the Web with- 
out reference to any specific 
browser. 

"General demand has been 
influenced by the broader 
range of choices to interact with 
the Web, and [mobile] devices 
are a big part of that," he said, 
adding that the vendors are 
now more influenced by stan- 
dards than they were in the 
past, when fixing bugs may have 
been given higher priority. 

"[Mozilla] is glad to see all 
major browser vendors do the 
right thing with a rather com- 
plicated piece of standards test- 
ing, and [we] hope it's sign of a 
major trend and not a parlor 
trick," Shaver quipped. 

A spokesperson for Opera 
was not available by press time, 
but a FAQ published for the 
press addresses its support for 
W3C technical standards. 
According to Opera, the advent 
of the wireless Internet has 
forced Webmasters to comply 
with W3C standards rather than 
write to a specific browser. I 
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Fedora Update Tips Topper 



Red Hat's simpler distribution arrives on schedule 



BY ALEX HANDY 

Red Hat has festooned its 
Fedora with numerous updates 
and glittering graphical gew- 
gaws. 

Fedora 8, the company's 
community-developed Linux 
distribution, arrived in early 
December as planned and was 
bumped to version 8.0.1 
before the end of the year. The 
biggest changes to the dis- 
tribution in this trip to the 
haberdasher are numerous 
targeted installations, dubbed 
"Spins" by the Red Hat team 
behind its development. Also 
included are desktop graphic 
enhancements and wireless 
management features that 
make this free Linux distribu- 
tion behave more like its com- 
petition from Apple, Microsoft 
and Ubuntu. 

Fedora 8 s new Spins are, 
for now, simply slimmed-down 
installation packages. The 
Fedora community is planning 
to open up many other types 
of targeted distribution instal- 
lations as the project progress- 
es. But for now, Spins are 
mostly built for quick network 
installation, or for live opera- 
tion from USB memory sticks. 
As one might expect, the pri- 
mary Spin of Fedora 8.0.1 is 
meant for desktops and work- 
stations. Fedora can also be 
configured in kiosk mode, 
thanks to new user account 
options. 

For Java developers, Fedora 
8.0.1 includes Red Hat's own 
IcedTea Java environment. 
IcedTea is based on Sun 
Microsystems' OpenJDK, but 
includes Red Hat-made plugs 
for the code holes that still exist 
in the Sun project. Fedora 8.0.1 
includes a fully open source 
Java runtime and development 
environment. 

DESKTOP APPEAL? 

For desktop users, Fedora 8 
provides Gnome 2.20, and can 
also be fitted with KDE 3.5.8. 
KDE users also have the 
option to download and install 
the development version of 
KDE 4.0 from Red Hat's 
repositories after they've 
installed Fedora. 

Desktop users will likely 
notice some graphical addi- 
tions to their windows and 
scroll bars, as Fedora 8.0.1 



includes Compiz Fusion. 
Compiz Fusion is installed by 
default, but must be enabled 
by the user in the system pref- 



erences. Once enabled, Com- 
piz Fusion brings window 
morphing and desktop rota- 
tion into the user experience, 



and has been compared to 
Mac OS X's Spaces feature. 

For developers looking to 
build applications that will run 



inside Fedora, this new ver- 
sion offers a significantly 
changed Linux kernel. Based 
on kernel version 2.6.23, 
Fedora 8.0.1 includes the 
recently merged Completely 
Fair Scheduler. This brand- 
new scheduler handles all of 
the CPU resource allocation 
with a timeline for tasks. I 
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The Road to Java EE 6 



JSR 317 Persistently Improving 

JPA 2.0 will offer better mapping and modeling of object relations 




! a,_ 



BY ALEX HANDY 

In the days when even the 
largest systems had what would 
now be considered extremely 
limited resources, data han- 
dling was fairly straightforward. 
There once was RAM and hard 
storage, and, outside of virtual 
memory, the two never mixed. 
Data in RAM was there until 
the program ended, while data 
on the hard drive was consid- 
ered the authoritative version. 

But as resource constraints 
faded, all of this changed: RAM 
could be stored for later use, 
and in-memory data didn't 
always have to vanish when the 
program finished running. 
Today, data persistence is an 
issue for developers at many 
levels. 

Persistence has blurred the 
lines between data at runtime 
and data for storage, and that's 
why the Java Community 
Process has been working to 
improve the practice through 
JSR 317, the specification for 
the Java Persistence API (JPA) 



version 2.0. 

Linda DeMichiel, senior 
staff engineer at Sun and speci- 
fication lead on JSR 317, said 
that the new version of JPA 
would be based on lessons 
learned in other persistence 
systems. Specifically, she's hop- 
ing to bring criteria-based 
dynamic query generation into 
the API. 

"Hibernate has a criteria 



API that is regarded quite well 
in the Hibernate community. 
Top Link has a similar API from 
which we can also learn. Of 
course, query by example has 
been around for decades," said 
DeMichiel. 

"We want to look at adding 
an API for so-called criteria 
queries. Think of them as a dif- 
ferent way to formulate dynam- 
ic queries that is more object- 
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Persistence systems guided Linda DeMichiel, JSR 317 specification lead. 



oriented than those used in 
string-based queries. Think of 
criteria as being formulated 
more in terms of a query tree: 
The nodes of the tree are cen- 
tered around the object catego- 
ry. You build up a category tree 
at runtime. That gives a bit 
more user-friendly manner for 
constructing dynamic queries," 
said DeMichiel. 

While the JPA 2.0 specifica- 
tion won't be complete until the 
end of 2008, DeMichiel noted 
that she and the expert commit- 
tee on the JSR 317 team have 
already done a great deal of 
work around "topics related to 
expanding the object relational 
mapping functionality and the 
modeling of Java persistence," 
as she put it. 

This is work that needs to be 
done before the rest of the 
specification takes shape, she 
said, because the JPA query 
language will be adapted to 
include new modifications 
around these capabilities. 

Also on the docket for JPA 



JSR 317: Java Persistence API 



An Occasions Series 



2.0 are numerous new features 
added to meet real-world 
requirements. DeMichiel said 
that these have been numerous, 
and she takes these as a good 
sign for the health of JPA in the 
wild. "We've had a lot of 
requests for collections of basic 
types, collections of embedda- 
bles," she explained, adding 
that foreign key mapping for 
one-to-many relationships was 
also added at user request. 
"Support for ordered lists, 
where the ordering is made 
persistent in the database" will 
additionally be present. "All of 
those you'll see coming out in 
the first draft of the spec we 
release," said DeMichiel. 

But, it's still too early to 
estimate when that first draft 
will arrive, she said, even 
though the final version of JPA 
2.0 should arrive at the same 
time the rest of Java EE 6 
takes shape, sometime at the 
end of 2008. I 
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For IT environments, 'best-of-breed" development tools 
are meant Iq perform individual tasks extremely well. 
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activities and IT operations, and don p t provide necessary 
information for a total view of development projects or 
operations. This Is an all too Familiar story and now you 
do not have 1o live wilh il anymore! The Kovair Global 
Lifecycle Solution is the answer and is available today 
With Kovair Omnibus Integration Bus for IT. Kovair 
Omniprocess Workflow for IT and Kovair Synch 
Reporting, companies can now break all Organizational, 
Functional, Technology, and Geographic silos to provide 
an integrated Development or IT environment vwhi en Is a 
must far any glutei IT Enterprise today. Furthermore, 
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Through off the shelf "Connectors^, best development 
process enablement, and standard view reporting. 
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necessary and future protect your investment. 
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Fonester and Gartner. 
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I LOG J Views 8.1 
Boosts Performance 




ILOG has souped up its JViews visualization components with more optimized JavaScript code 
and CSS improvements for the control and rendering of graphical objects. JViews 8.1 speeds up 
selection of objects across the suite, the Diagrammer integrates with the Maps component, and 
JViews Gantt is more deeply integrated with Eclipse to work directly with SWT graphics. I 



Ounce Labs Teams Up 
With Apache Maven 

New version of analysis engine 
integrates with build platform 



BY JEFF FEINMAN 

Ounce Labs earlier this month 
released the latest version of its 
flagship security analysis en- 
gine, with new build automa- 
tion capabilities that include 
support for the Apache Soft- 
ware Foundation s Maven build 
platform. 

Ounce 5.0.4 comes with two 
new components: the Ounce- 
Maven plug-in and the Ounce 
Automation Server. 

The Ounce- Maven plug-in 
allows Ounce to integrate with 
the Maven build environment 
by allowing the generation of 
Ounce projects and applica- 
tions that are based on Maven 
project files. Ounce scans can 
also be carried out on Maven 
projects with the option to pub- 
lish and save results, and a 
report can be displayed with 
the results of the scan. The 
plug-in operates independently 



of other Ounce components 
when creating application and 
project files, but it uses the 
Ounce Automation Server for 
scanning and reporting. 

The Ounce Automation 
Server allows the managed 
running of scans and publish- 
ing the results in addition to 
generating reports. It can be 
configured to act as an Ounce 
user and, when in use, have the 
same permissions of that user. 
It comes with a free-standing 
CLI, the Ounce Automation 
Server Command Line client. 
According to Ounce officials, 
clients of the Ounce Automa- 
tion Server are tied to a partic- 
ular host, reducing the likeli- 
hood of confusion. 

The source code for the 
Ounce-Maven plug-in will be 
hosted at the Codehaus open 
source project repository, at 
mojo.codehaus.org. I 
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Rich Internet Application 
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NO Plugins, NO Installation! 



1. Windows look-and-feel - the richest GUI (plus theme support 

2. Zero-footprim (no Flash, Ja^a, .NET r orptuginsj & bacterid agnostic 

3. Full, complete & extendable components librarv 

4. Fully cte&s-ijoa&d, objact-orienied API 

5. Best suppon for accessibility (Section-bDB) 

6. Charting, vactar graphfcs & animations 

7 Best internationaliratioHfT & FocaNzstion 

8. Enterprise strength - supports massive grids, tree^, form input 
controls 

Bindows powered application s, are used by: 

• More than 500,000 business users 
•91 of the FortLine-1 00 companies 
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Coghead Moves to Adobe 
Flex, Hosting by Amazon 



< continued from page 1 

servers and storage. 

Although the company decided to 
rewrite the entire application from 
scratch in Adobe's Flex, the underlying 
functionality of Coghead's rich client 
has not changed in ver- 
sion 2.0. Previous ver- 
sions had been based 
on OpenLaszlo, but 
Greg Olsen, CTO and 
founder of Coghead, 
said the Flex version is 
significantly more re- 
sponsive and usable. 
This makes a big differ- 
ence for end users, who 
use and access Coghead 
applications through 
the same client used for 
development, he noted. 
Developers simply use 
a higher level of access, and thus have 
the ability to move and change the ele- 
ments displayed to end users. 

The Coghead client is a visual devel- 
opment environment targeted at front- 
line users who need to construct simple 
applications that replace existing tools 
embedded in databases or spreadsheets. 
With Coghead's back-end system now 
running on Amazon's S3 storage system 
and running on top of the Amazon Elas- 
tic Compute Cloud (EC2), this SaaS 
solution to desktop problems is now 



'People use our 
product to solve 
problems they 
might have used 
spreadsheets or 
FileMaker to solve 
in the past/ 

—Greg Olsen, CTO and 
founder of Coghead 



reliable and can accommodate 
larger applications, claimed Olsen. 

He added that Coghead has been 
used to build all manner of data-driven 
applications. "I'd say the applications 
are functionally all over the place, from 
custom lead manage- 
ment to organizational 
management things. 
There's a lot of small 
business applications or 
departmental applica- 
tions in larger compa- 
nies. People use our 
product to solve prob- 
lems they might have 
used spreadsheets or 
FileMaker to solve in 
the past," said Olsen. 

Coghead 2.0 runs on 

any system that supports 

Adobe Flex applications. 

The software costs US$50 for a five-user 

license, and additional licenses can be 

purchased for $10 per user. 

For the future, Olsen said that he'd 
like to improve Coghead's integration. 
Currently, Coghead applications can 
be integrated with outside applica- 
tions, but Olsen said he hoped to 
expand the range of possible integra- 
tions and work with ISVs to bring in 
targeted integrations. Additionally, 
Olsen said future versions should allow 
users to run applications offline. I 



Catching a Web 2.0 Wave 

Visual Assembly Studio now available 



BY JEFF FEINMAN 

Web 2.0 application tool creator Wave- 
Maker Software, formerly ActiveGrid, 
announced the general availability of the 
WaveMaker Visual Assembly Studio and 
the WaveMaker Rapid Deployment 
Framework for enterprise Web 2.0 
applications. 

The Visual Assembly Studio, 
announced in mid-December, uses 
drag-and-drop assembly of AJAX wid- 
gets, databases and Web services. 
It is available for free via download. 
The tool provides developers with a 
visual environment to create Web 
applications without complex code or 
portal frameworks, company officials 
said. WaveMaker claims that the studio 
has accelerated the development of 
applications by as much as 67 percent 
and cut lines of code written by 98 
percent. This dramatically smaller 
codebase, officials claimed, means 
that visually assembled applications are 
cheaper to maintain and easier to 
manage. 



Web applications built with the 
WaveMaker Visual Assembly Studio 
can then be deployed with the Wave- 
Maker Rapid Deployment Framework 
onto Java application servers, including 
Apache Tomcat and Java EE servers 
from BEA Systems, IBM, Red Hat and 
Sun Microsystems. The Rapid Deploy- 
ment Framework is commercially 
licensed. Full installations of the Wave- 
Maker Rapid Deployment Framework 
start at around US$25,000. 

"We are pleased with the positive 
feedback we received from those who 
have participated in our beta program," 
said Christopher Keene, CEO of Wave- 
Maker, in a prepared statement. "The 
Visual Assembly Studio and Rapid 
Deployment Framework provide 
developers with a solution to quickly 
develop and deploy applications on any 
Java platform with significantly less 
code — dramatically improving business 
productivity while still complying with 
core IT standards for security, data and 



governance. 



Business Objects 



YOUVE NEVER SEEN A REPORT DO THIS BEFORE. 



CRYSTAL REPORTS* 2008 



DEFY THE LAWS OF REPORTING. 



Add new levels of decision supports stunning visualization 
and rich interactivity to your applications. Discover the 
latest designer productivity features, an improved report 
vrewing experience and a free runtime tor unlimited 
internal report engine deployment. 

Add Crystal Reports to your development tool kit and... 

=■ Enable What -If analysis with Xcelsius components, 

right on your reports (as shown). 
4 Guide report exploration with on-report sorting, 

filtering and reformatting without re -hitting your 

database. 
^ Embed Flash files for stunning visualizations and 

powerful decision support. 
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Explore the new laws of reporting from Crystal Reports. 

Visit businessobjects.com/CR200S/dev or contact us at 1 -888-333-6007. 
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A Drag & drop gri-d dements within 
the Visual StudFo 2005 design surface. 
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♦ Specifically designed for Visual Studio 100b and A5RNET 2-0 

♦ Revolutionary design-time experience for complete ease of use, 

♦ Unprecedented control for the end -user at runtime, 

♦ Dynamic aesthetic features for data presentation and analysis. 

♦ The most innovative functionality of any grid ever developed! 



X-i 



J — 



■4 # ■ J _±- 



iliklii 



naiJ 



■« ■■■«*«■" 



■'9*i*fi3'. 



l 

I 



* X 




ll-CCdAC 



i tc-ng duI 
spirt njta 



■nd 



ft kp F? inn 

I 'i ne Jo: 
tsa jeans 



iyj 



j 5&ye^ j 



idALpftnil 



._. """ 



*— 



A — 



WlBfJlHHT 



ihDost Lfart Qrtj 



I 



us#Sipdii!e DuEiS&iiretC&rtrfil 

LhDDSC 1*113 fiptlin 4 YMJYflltlW 

ttrfiflyn yaui "hut Dfitl u-n j ■ 
itpirif* dvti iflurn ce-nifak. 



Ill*- 'Lll.'l H~ [■ il*"- 1 ».l" ' 

Lnnoic l/ii] oplKin ynuvnih lg 
«pli Jul* > Qui -Ihjrt Ddtl Wlflfl 
Ihc graft h a d jf ji iewc . 



Sel td: Ori jj^uixe 



frPC j COful | 



id Cm 



rdnSfttinqf 



sHCSl 



itlptfft 



f. JnTHt. ?nd 0* 






fl r 



A AjAX- enabled run 

time interface provides 

toolbars and settings 

such aa motifs. The 

elegant "Ghost Bar" 

provides end users with features such 

as data copying, grouping, sorting & 

filtering, hrde or show columns, plus 

font selection, size, sty]e & color. 



=^niflflM 



P*lpM C rnii C r 

BrtP^flurerfP 

E FiEidfi 



tlfT^WTM 



& 







A 



ArrnUJiUSajKcl 



A Card views and master details 



1 GRID FX 




DEVELOPER 
LICENSE 




edit during run-time through 
tor modal inputs. 




Grid 



Download a FREE Developer License today 

at www*softwarefx.com 




24 



NEWS 



Software Development Times . January 15, 2008 . 



www.sdtimes.com 



Software AG Continues SOA Buying Spree 



BY DAVID WORTHINGTON 

While millions were walking 
the malls and Main Streets, 
Software AG did some holiday 
shopping of its own in Decem- 
ber, snatching up Jacada s appli- 
cation modernization business. 



The acquisition was the latest in 
a string of buyouts that have 
broadened the company's pres- 
ence in the SOA market. 

The company on Dec. 20 
announced the acquisition, a 
US$26 million cash transaction 



that expands Software AG's 
legacy modernization portfolio 
with products for modernizing 
the user interface of mainframe 
and midrange-based applica- 
tions. It also gains more than 
200 enterprise customers, locat- 



ed mostly in the United States. 

The deal was effective as of 
Jan. 1. Karl-Heinz Streibich, 
CEO of Software AG, said in a 
prepared statement that Jacada 
customers would benefit from 
expanded research and devel- 
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LEADT00LS 
Raster Imaging Pro 

by LEAD Technologies 

Raster Imaging Pro gives developers the tools 
to create powerful imaging applications. LEAD- 
TOOLS libraries extend the imaging support of 
the .NET framework by providing comprehen- 
sive support for image file formats (1 50+), 
200 image processing filters, compression, 
TWAIN scanning, high-speed image display, 
color conversion, screen capture, special effects 
and more. 
•. NET, API & C++ Class Libraries 

• AJAX and Web Forms Controls 
•COMInteropwrapperfor.NET 

• Royalty Free „ , 
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dtSearch Web with Spider 

Quickly publish a large amount of data to a Web site 

• Dozens of full-text and fielded data search options. 
•Highlights hits in XML, HTML and PDF, while 

displaying links and images; converts other files 
("Office," ZIP, etc.) to HTML with highlighted hits. 

• Spider adds local or remote web sites (static and 
dynamic content) to searchable database 

• Optional API supports SQL, C++, Java, and all 
.NET languages. 

"Bottom line: dtSearch manages a terabyte of 
text in a single index and returns results in 
less than a second. " — I nf oWorl d 



Download dtSearch Desktop with 
Spider for immediate evaluation 



Single Server 
Paradise # 
D29072P 

$ 873." 

programmers.com/dtsearch 



VMware Lab Manager 2.5 

Provision complex development and test 
environments in seconds, rather than days, 
with VMware Lab Manager. You'll be able 
to shave man-months off software develop- 
ment cycles through rapid, automated setup 
and teardown of even the most complex 
multi-machine environments. On-demand 
access to a shared library of complex system 
environments will give your developers and 
testers instant use of the resources they 
need, while leaving IT in administrative 
control. You'll also save money by pooling 
servers, networking, storage and other 
resources that can be shared across 
development and test teams. 
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DevTrack 

Powerful Defect and Project Tracking \ 

by TechExcel 

TechExcel DevTrack is the most powerful, i 

affordable and easy-to-use defect and project i 
tracking tool for development organizations. j 
You'll dramatically transform your development j 
processes, save significant time and resources, j 
and deliver quality products on-time and 
on-budget. 

• Distributed team support 

• Sophisticated workflow engine 

• Built-in indexed search engine 

• Point-and-click administration 

• Fully configurable user interface 

programmers.com/techexcel 

/n software Red Carpet 
Subscriptions 

by /n software 

/n software Red Carpet™ Subscriptions give j 

you everything in one package: communica- j 

tions components for every major Internet j 

protocol, SSL and SSH security, S/MIME j 

encryption, Digital Certificates, Credit Card ] 
Processing, ZIP compression, Instant 
Messaging, and even e-business (EDI) 

transactions. .NET, Java, COM, C++, Delphi, ■ 
everything is included, together with per 

developer licensing, free quarterly update CDs j 

and free upgrades during the subscription term, j 



programmers.com/nsoftware 

StorageCraft ShadowProtect 
IT Edition v3.0 

by StorageCraft 

Create, edit or restore backup images on as j 

many servers, desktops and laptops as needed, j 

Create online or cold state backups in minutes, j 

no software installation required. StorageCraft™ j 

ShadowProtect IT Edition provides complete j 

bare metal recovery in minutes. ShadowProtect j 

IT Edition provides IT Professionals with a j 

bootable Windows environment to create and j 
restore compressed and encrypted backups, 
no software installation required. 
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c-tree Plus® 

by FairCom 

With unparalleled performance and sophistication, 
c-tree Plus gives developers absolute control over 
their data management needs. Commercial 
developers use c-tree Plus for a wide 
variety of embedded, vertical market, 
and enterprise-wide database applications. 
Use any one or a combination of our flexible 
APIs including low-level and ISAM C APIs, simplified 
C and C++ database APIs, SQL, ODBC, or JDBC. 
c-tree Plus can be used to develop single-user and 
multi-user non-server applications or client-side 
application for FairCom's robust database server 
— the c-treeSQL™ Server. Windows to Mac to 
Unix all in one package. 
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TX Text Control 14 

Word Processing Components 

TX Text Control is royalty-free, 
robust and powerful word processing 
software in reusable component form. 

•. NET WinForms control for VB.NET and C# 

• ActiveX for VB6, Delphi, VBScript/HTML, ASP 

• File formats DOCX, DOC, RTF, HTML, XML, TXT 

• PDF export without additional 3rd party 
tools or printer drivers 

• Nested tables, headers & footers, text 
frames, bullets, numbered lists, multiple 
undo/redo, sections, merge fields 

• Ready-to-use toolbars and dialog boxes 
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Vizioncore vReplicator 

by Vizioncore 

vReplicator is the real-time replication solu- 
tion for the VMware ESX Server environ- 
ment. Replication is performed outside the 
guest at the Service Console. The replica- 
tion scheme is based on time elapsed 
and/or the size threshold for changes in 
the cache of the files being replicated 
(.VMDK and .VMX). With vReplicator, the 
entire virtual machine is replicated, includ- 
ing configuration settings, patches to the 
OS, the applications themselves as well as 
the data and all other OS-level changes. 
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Altova® MapForce® 2008 

Visual Data Conversion, 
Transformation, and 
Integration Tool 
by Altova 

MapForce: The premier data mapping, 
conversion, and integration tool from 
the creators of XMLSpy®. Through 
its visual interface, users can map 
seamlessly between any combination 
of XML, database, flat file, EDI, and/or 
Web service, then convert data instantly 
or auto-generate an application for 
recurrent transformations. Languages for 
code generation include: XSLT 1.0/2.0, 
XQuery, Java, C++, and C#. 
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Telerik RadControls 

by Telerik 

Add grid, combo, editing, navigation and charting 
functionality to your AJAX and ASP.NET projects. 
RadControls for ASP.NET enhances your Web 
applications by adding AJAX functionality to your 
ASP.NET projects. The suite takes full advantage 
of the features included in Visual Studio 2005. 
RadControls for ASP.NET helps developers deliver 
feature-rich, standards-compliant (WAI-A, WCAG 
1.0, XHTML 1.1) and cross-browser compatible 
Web applications, while significantly cutting 
their development time. RadControls for ASP.NET 
includes: RadEditor, RadTabstrip, Radlnput, 
RadCalendar, RadUpload, RadWindow, RadAjax, 
RadGrid, RadCombobox, RadMenu, RadSpell, 
RadChart, RadTreeview and more. 
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Multi-Edit 2006 

by Multi Edit Software 

Speed, depth, and uncompromising access to 
the inner workings of the machine, Multi-Edit 
2006 delivers it all. A top tier program editor, 
ME2006 provides a single environment in 
which can control all your VCS programs and 
compilers, and at the same time integrate 
with your existing RAD environments. Easily 
handle large (the only limit is your hardware) 
DOS/Windows, UNIX, binary, and Macintosh 
files in over fifty programming languages. 
Right out of the box, ME2006 comes ready 
to roll handling large DOS/Windows, 
UNIX, binary and Macintosh files in over 
50 programming languages including Ruby, 
XHTML and more. 
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opment. Eight of Jacada's R&D 
and support staff will join Soft- 
ware AG, providing some conti- 
nuity in product evolution. 

Some of the more notewor- 
thy Jacada products are Host- 
fuse, an integration solution to 
modernize green-screen appli- 
cations and allow them to par- 
ticipate within the context of a 
service-oriented architecture. 
Jacada Interface Server gener- 
ates thin-client graphical inter- 
faces for legacy applications in 
either Java or XHTML. It is 
interoperable with both the 
.NET Framework and Java 
application servers, according 
to the company. 

Software AG is also acquir- 
ing the intellectual property 
behind for Jacada Innovator, 
Jacada Interface Server, Jacada 
Terminal Emulator and Jacada 
Studio. It will continue to use 
the Jacada product names for 
the near term. 

A BROADENING REACH 

Software AG's absorption of 
Jacada follows its $546 acquisi- 
tion of Web Methods in June, 
and its purchase of a majority 
stake in SPL Israel in March, 
for $62 million. 

"Software AGs WebMeth- 
ods acquisition was most defi- 
nitely [meant] to make them a 
player, primarily in the North 
American market — and their 
recent quarter has proven that 
the move was a good one," said 
Jason Bloomberg, a managing 
partner with ZapThink. "The 
Jacada acquisition, however, 
was more of a gap-filling move 
to help them tie their long-term 
legacy customer base with their 
increasingly solid SOA story," 
he noted. 

Bloomberg added that the 
acquisition of SPL Israel was 
another step in Software AG's 
strategic plan to solidify its lead- 
ership positions in its markets. 
"SPL is a profitable company, 
which adds to Software AG's 
bottom line, simple as that." 

Software AG released Web- 
Methods 7.1 in September, the 
first convergence product bear- 
ing the Web Methods brand 
since the merger. 

Web Methods' mainframe 
integration technology was 
combined with Software AG's 
EntireX transaction-oriented 
integration tools. Users of Web- 
Methods mainframe software 
may migrate to the EntireX 
platform, and Software AG is 
continuing to support Web- 
Methods' DataDirect Neon 
Shadow customers. I 
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Trademarks Can Throw Up Roadblocks 

Icons can present legal headaches for careless developers and designers 



BY ALEX HANDY 

In an era of code copyright 
confusion, traditional legal 
hotspots may be overlooked in 
the development process. 
While development managers 
are getting a handle on just 
what source code can be legal- 
ly copied into an application, 
icons and their relevant trade- 
marks could present an even 
deeper legal hole for some 
developers. Buttons, images 
and icons aren't typically at the 
top of the priority list for 
developers — being thought of 
as mere "eye-candy" by some 
coders — but astute legal wran- 
glers already know that trade- 
mark law can be treacherous. 

Tiki Dare, Sun Microsys- 
tems' director of trademarks, 
said that most software houses 
have a plain case from where 
to draw their lessons on trade- 
marks. The Mozilla Firefox 
Web browser has been includ- 
ed in the Debian Linux distri- 
bution as part of its standard 
desktop installation for years, 
she explained. Debian has a 
reputation for being the most 
widespread "free" Linux dis- 
tribution, she continued, and 
in the past the project has had 
lengthy internal discussions 
over software licenses and the 
relative freedom of various 
software packages. 

In 2004, the distribution's 
caretakers began to fret over 
the trademarking by the 
Mozilla Foundation of the 
Firefox name and logo. In 
order to forestall possible legal 
restrictions, the Debian team 
changed the name and icon of 
its Firefox binary to IceWeasel 
in early 2005. 

SIGNPOSTS FOR THE USER 

In the end, said Dare, trade- 
marks are all about communi- 
cating with the end user. 
When users install Firefox, 
they can be confident that it 
will be the same software 
they're used to, no matter the 
platform, she added. 

While the IceWeasel dis- 
pute is an isolated case, it does 
offer some insight as to how a 
development team can best 
cope with trademark issues as 
they crop up during a develop- 
ment process. 

"Engineer your applica- 
tions in such a way so that 



changing icons and splash ance for whom? The reason Grail. Trademarks communi- keep that interoperability to a 

screens is easy," said Dare. this is so important is interop- cate [interoperability] in one community, and in the same 

"Striking the right balance is erability. You can make a fair step. You can use a trademark step you can communicate 

hard, and is it the right bal- argument that it's the Holy and a trademark license to that to the end user." I 
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XBRL Revolution Has 
For Financial 



Begun 



< continued from page 1 

as a standard for bank reporting. 

David Blaskowsky, director the SEC s 
Office of Interactive Disclosure, 
explained that the comment period is 
intended for real-world users to ensure 
that the taxonomy is complete and to 
identify any remaining issues and gaps 
that need to be addressed. 

A government-imposed mandate may 
follow suit. Blaskowsky said that the SEC 
was engaged in a "serious rule-making 
process" and could create a rule as the 
end of the first quarter. The SEC will 
hold roundtable events for stakeholders 
across the U.S. in the coming months. 

He noted that the SEC is working 
closely with other financial regulatory bod- 
ies across the world. "There will be sub- 
stantial benefits if the movement of infor- 
mation across borders can be facilitated," 
he added. "The biggest win is the compa- 
rability and transferability of information." 

XBRL has received wide acceptance 
internationally for financial reporting: 
China and Japan mandate its use, and the 
United Kingdom is expected to make 
XBRL reporting obligatory by 2010. 

Blaskowsky said that companies 
should start looking at XBRL today. "Giv- 
en software cycles, [developers] have got 
to [pilot XBRL] today to have the tools 
that are required when the data becomes 
available. Deploy some resource, take a 
run at it, and work in conjunction with 
financial management," he said. 

REAL-WORLD BENEFITS 

The SEC's Blaskowsky said that there 
were three main value propositions: Inter- 
nal and external financial information is 
available in real time, information does 



Reporting 



not have to be re-entered, and there is an 
absence of human errors introduced by 
intermediaries and any error is preserved. 

"It's not about the language; XBRL is 
an enabler," he said, explaining that an 
XBRL-driven financial system enables 
new functionality and benefits. Some of 
the examples Blaskowsky mentioned are 
RSS feeds and alerts with settings for 
reports that have revenues or ratios that 
fall within specified parameters. 

Mike Willis, a partner with Pricewater- 
houseCoopers and founding chairman of 
XBRL International, feels that the value 
proposition is to leverage standards like 
XBRL to streamline business processes 
within the enterprise, engage financial 
counterparts in reviews of taxonomy, and 
lower subsequent reporting time and costs. 

PricewaterhouseCoopers has built 
XBRL into its analytical tools: Spread- 
sheets self-populate and accountants 
create reusable and sharable analytical 
formulas instead of keying in macros. 
"[XBRL] can be used to apply analytical 
concepts to the entire internal informa- 
tion supply chain," Willis said. "It's like 
an MP3 file for analytical concepts." 

Likewise, economics of financial 
reporting could be affected. Willis noted 
that XBRL pushes validation and analy- 
sis away from the consumer and back 
onto the preparer, streamlining the 
reporting process. "Today [financial 
analysis and validation] is a cyclical 
process that takes days or weeks." 

XBRL also simplifies business rules 
management systems. "XBRL abstracts 
rules from the software layer and articu- 
lates it in taxonomies; it is more stream- 
lined and is managed and controlled at 
the IP layer," he said. I 



MICROSOFT HYPES VISUALIZATION 



BY JEFF FEINMAN 

Microsoft has released a public beta of 
Hyper- V, the hypervisor-based virtual- 
ization feature in Windows Server 2008. 

Some new features that weren't previ- 
ously available in the September Commu- 
nity Technology Preview include a quick 
migration feature, as well as the ability to 
use Hyper-V as a Server Core role, and to 
enable it with the Server Manager tool. 

The beta version of Hyper-V, 
released in mid-December at www 
.microsoft.com/ws8eval, can be used to 
test applications, and plan future consol- 
idation, business continuity and high- 
availability projects, according to 
Microsoft officials. As a feature of Win- 
dows Server 2008, Hyper-V is designed 
to provide customers with familiar virtu- 
alization infrastructure software that can 
help reduce operating costs, increase 
hardware utilization, optimize infra- 



structure and improve server availability. 

The beta is currently available for the 
x64 Enterprise Edition; a CTP is avail- 
able for evaluation on other supported 
systems. The final version of Hyper-V is 
slated for release within three months of 
the shipment of Windows Server 2008, 
due for release by the end of February. 

"Delivering the high-quality Hyper-V 
beta earlier than expected allows our cus- 
tomers and partners to begin evaluating 
this feature of Windows Server 2008 and 
provide us with valuable feedback as we 
march toward final release," said Bill Laing, 
general manager of the Windows Server 
Division at Microsoft, in a statement. 

In late October, Microsoft announced 
that Hyper-V, then without a name, would 
be available under its Open Specification 
Promise, making it possible for third-party 
hypervisors and operating systems to 
interoperate seamlessly with its platform. I 
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Farewell, Netscape, but I Suppose It's Time 



BY P.J. CONNOLLY 

The holidays aren't really the 
holidays without a ghost of 
years past, and in 2007, the 
ghost was called Netscape. 

When I heard that AOL had 
pulled the plug on the 
Netscape Web browser, I was 
less surprised by the news than 
by the revelation that the com- 
pany was still maintaining it. 

At the risk of betraying my 
age, let's just say that I've been 
around the track a few times, 
and I remember when the 
rumors surfaced in 1993 of a 
graphical Web browser that was 
being worked on at the Univer- 
sity of Illinois' main campus. As 
a Northwestern grad, I wasn't 
sure that the farm boys could 
make it work, but I was happy 
to be proven wrong. 

In those days, I was the IT 
manager of a daily legal news- 
paper in San Francisco, and a 
year or so before, my proposal 
for a dedicated connection to 
this thing called the "Internet" 
that would aid our writers and 
editors in research — and to be 
honest, I was looking forward 
to using it myself — had been 
unceremoniously shot down as 
a waste of money. But when 
the whispers of a browser 
called "Mosaic" became a 
buzz, all of a sudden I was on 
the hot seat. 

OF SIMPLER TIMES 

Perhaps one of the things that 
saved some of us in those days 
was that HTML was just 
another markup language. I'd 
been monkeying with 1980s- 
vintage typesetters and pub- 
lishing software for several 
years at that point, so a lot of 
the early process of putting 
copy up on the Web was a sim- 
ple matter of changing the 
macros that set up the format- 
ting strings. After all, XML is 
just SGML with better market- 
ing, isn't it? 

Honestly, in 1994 it was 
more exciting to have a con- 
nection nailed up than it was to 
make something render attrac- 
tively on a Web page. But the 
standards were lower then, and 
the bandwidth sucker that 
became Flash was still a 
dream. 

Time passed and Microsoft 
got its act together — on the 
fourth try. Like most of the 
computing community, I 
became tired of the bugs in 



Netscape Navigator, 
and eventually realized 
that Internet Explorer 
worked "well enough" (at least, 
it did for Windows). 

Even though much of the 



ANALYSIS 



Netscape Navigator 
legacy lives on in 
Mozilla Firefox, it's not 
the same thing. Like the child 
who surpasses the parent's 
achievements, Firefox is the 



browser that Netscape should 
have built. 

So the story ends a couple of 
weeks from now, when AOL 
officially ends support, and 
since it's been a decade since 



Netscape was relevant, I guess 
it was overdue. But that doesn't 
make it any easier to say good- 
bye to an old friend, no matter 
how long it's been since you had 
any fun together. I 
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New Roles, Rules Take Getting Used To 

< continued from page 1 ^^^^^H r ^ ~« ter] add function, a [better] aligned with those of the devel 

database experts [and so forth], Njfe' delete function, and a [better] opers. Outdated reward system: 



< continued from page 1 

database experts [and so forth], 
and agile hasn't changed that," 
he said. "They stick with what 
they know" 

Goodman hasn't had that lux- 
ury. The Scrum practice of self- 
managing teams has changed his 
role drastically. "I can no longer 
say: 'Do this, and do that.'" 
When problems cropped up in 
the past, Goodman solved them 
by delegating tasks to team 
members. Now he retreats to his 
office and lets the team come up 
with its own solution. He is com- 
mitted to the new way of work- 
ing, even though he admitted it 
feels "a little scary, almost like 
you're losing control." 

For developers on agile 
teams, nothing feels more unfa- 
miliar than pair programming, 
the Extreme Programming 
(XP) practice whereby two 
developers write code together 
at a single workstation. "Every 
minute your ideas are chal- 
lenged, and you have to explain 
them to someone else," said 
Oxygen Media software devel- 
oper Wendy Friedlander. 

The cable network adopted 
its own variant of XP, which 
includes some Scrum practices, 
in January 2004. Even though 
Friedlander said pair program- 
ming "feels strange all the time," 
she likes it. The Oxygen team of 
eight changes partners once a 
day, and that results in better 
software, where each feature is 
carefully thought through. 
"When you are working alone, 
it's hard to tell if something you 
have done — such as the place- 
ment of a control — will confuse 
the intended user," she said. 

"But with pair programming, 
the whole team is thinking about 
[this issue]," added Oxygen soft- 
ware developer Oksana Udovits- 
ka. "You let go of ownership of 
your code and come up the best 





Agile demands more from business 
stakeholders, says Sapient's Carter. 



Direct Tech's Goodman says he is 
committed to Scrum even though 
it feels Mike you're losing control.' 

solution. When you're working 
alone, you can never be confi- 
dent of that." 

Friedlander noted that a 
common objection to pair pro- 
gramming is that the technique 
is inefficient, that a developer 
working alone can write code 
faster than two working side by 
side. But the benefits are coun- 
terintuitive, she said. "You gain 
things you would never gain oth- 
erwise." For instance, there is no 
need for the team to stop work 
and discuss an application's 
design. "When you are switching 
pairs [once a day], you know." 

Pair programming with pair 
switching gives management a 
better handle on what's hap- 
pening, too, said Oxygen vice 
president of software develop- 
ment Ken Judy. "At some level, 
you have to try to understand 
what each individual is accom- 
plishing. In pairing, discussions 
over what each developer is 
doing are inherent." 

GEARED TO AVOID CONFLICT 

Pair programming has a love-it- 
or-hate-it reputation. But even 
agile practices that don't inspire 
that reaction force developers to 
abandon customary ways of 
working. 

Direct Tech's Goodman 
offered an example. Scrum man- 
dates that developers focus on 
one task at a time. That is harder 
than it sounds, he said. "Let's say 
the task is 'add a new customer.' 
The developer does that. Then 
he thinks to himself: I might as 
well do the update customer 
function and the delete cus- 
tomer function at the same 
time." This feels more efficient. 
But in agile, where tasks are 
defined in a much more granular 
manner, it's not, Goodman said. 
"In the long run, we get a [bet- 



ter] add function, a 
delete function, and 
update function." 

One change that impacts 
every agile stakeholder is learn- 
ing how to accept criticism and 
act on it constructively, said Agile 
Infusion consultancy owner Bob 
Schatz. Agile is all about feed- 
back, and soliciting it early and 
often is crucial to keeping pro- 
jects on track, he said. "If the 
users [you are developing for] 
don't like what you're doing, you 
will know within three weeks," 
he said. But for most people, 
negative feedback is hard to give 
and hard to hear. "It makes peo- 
ple uncomfortable," said Schatz. 

Showing the customer what 
the team has come up with is 
indeed nerve-wracking, said 
Oxygen software development 
manager Luke Melia. "You 
hope that nothing blows up." 
The Oxygen team meets with 
the business stakeholders every 
two weeks, and over time mutu- 
al respect has developed, he 
said. "There were meetings 
where the business thought we 
had worked magic." One didn't 
go so well. "We didn't get it 
right at all," recalled Melia. "We 
had underestimated the diffi- 
culty of the task. I felt terrible." 

STEP UP TO THE PLATE 

Agile puts the business stake- 
holders in the hot seat, too. 
"They have to accept that the 
developers aren't just order-tak- 
ers," said Greg Reiser, vice pres- 
ident for consultancy Thought- 
works. When new requirements 
come in, a dialogue ensues, 
trade-offs are discussed, and a 
decision on how to proceed is 
jointly reached, he said. 

Brian Carter, a vice president 
for consultancy Sapient, agreed. 
"Business stakeholders have 
been asking for more involve- 
ment in application develop- 
ment, and agile gives them that." 
But it also demands more time, 
dedication and focus than has 
traditionally been asked of them. 
Getting business stakeholders to 
commit may mean getting the 
boss involved. "You have to take 
that person out of the business 
and dedicate his time to [the 
agile effort]," said Carter. "It's 
hard to succeed if the business 
stakeholder has a day job." 

Getting everyone to show up 
is only half the battle. Also key is 
making sure the business stake- 
holder's interests aren't mis- 



aligned with those of the devel- 
opers. Outdated reward systems 
are not always apparent, and 
they can undermine or even 
derail agile projects, said Sapient 
senior manager Erik Gottes- 
man. He offered an example. "A 
development project has two 
stakeholders: one from the busi- 
ness, the other from IT. The 
business guy's success is mea- 
sured by how many features he 
can cram in. The IT stakeholder 
is rewarded according to how 
many delivery dates he makes." 
That's disastrous for agile pro- 
jects, he said. "The business 
pushes for new features that 
aren't needed, and IT focuses on 
meeting deadlines, instead of 
delivering [exactly what the 
business needs]." That is the 
worst way to organize intellectu- 
al work, said IBM's Ambler. "We 
need to change our ways." 

What's the right way to 
reward project stakeholders? 
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Agile is all about feedback, and 
negative feedback is hard to hear, 
says Agile Infusion's Schatz. 



"There are no perfect solutions," 
said Gottesman. "You need to 
quantify the business results you 
seek to realize from features, in 
financial terms." Also important 
is deciding how to evaluate the 
performance of each member of 
the agile team. 

"You don't want to judge 
them solely on their individual 
merits," said Agile Infusion's 
Schatz. He recommended a 
three-part plan: one-third is the 
team's overall performance, one- 
third is how well the individual 
works with the team, and one- 
third is the individual's skills in 
core areas of expertise, such as 
QA or coding. 

Agile's success depends heavi- 
ly on how well team members in- 
teract with one another, and on 
the team's ability to resolve con- 
flict, said Schatz. "If all you know 
is Scrum, you're in trouble." I 



Agile 
At Scale 



BY DAVID WORTHINGTON 

Many enterprises are now devel- 
oping their software globally. At 
SD Best Practices, held in 
Boston in mid- September, IBM 
Rational's Scott Ambler dis- 
cussed with us the challenges of 
geographically distributed devel- 
opment and possible solutions. 

He contends that there is no 
single cure-all approach; agile is 
relative, and a quality manage- 
ment approach that can be 
applied successfully in one situ- 
ation may fall short in others. 

From a quality management 
perspective, it is essential that 
remote quality teams have a firm 
understanding of changes and 
provide continuous feedback to 
developers. This, Ambler said, 
reduces the risk of miscommuni- 
cation, incomplete communica- 
tion, or even the absence of com- 
munication of the change to 
widely dispersed quality teams. 

He recommends that teams 
follow the agile approach to pro- 
vide "just enough" change and 
test management. Agile quality 
management teams should be 
fully integrated into a continu- 
ous and collaborative feedback 
loop with business analysts, cus- 
tomers and developers. 

He also hosted a breakout 
session about agile's relationship 
to model-driven development, 
with the advice that modeling 
and documentation should be a 
part of all agile projects. Accord- 
ing to Ambler, agile documenta- 
tion is the least efficient form of 
communication, so executable 
specifications are preferable 
over static documentation. 

Documentation should also 
be simple and concise single 
source information, and teams 
should document "stable things, 
not speculative things," he said. I 




All agile projects need modeling and 
documentation, says IBM's Ambler. 
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Wind River At 
Heart of LiMo CIE 

Build tools chosen for 
integration initiative 



BY P.J. CONNOLLY 

If anyone wondered whether 
the LiMo Foundation's goal of 
reducing fragmentation in the 
Linux mobile handset market 
was all talk, the question may 
have received its first answer. 

The foundation's Common 
Integration Environment took 
a big step forward in Decem- 
ber, with the announcement 
that it had selected technology 
from Wind River Systems as 
the core for the project. The 
Alameda, Calif.-based compa- 
ny's build and configuration 
system will provide the "fun- 
damental building blocks" for 
CIE, noted the company. 

The company's tools won 
the race because the "environ- 
ment is specifically designed 
to solve the fundamental prob- 
lem of managing and integrat- 
ing a rapidly evolving mobile 
phone stack and ecosystem," 
noted LiMo Foundation exec- 



utive director Morgan Gillis in 
a prepared statement from 
Wind River. 

The former Symbian sales 
honcho, who joined the foun- 
dation in September, added 
that as all future member con- 
tributions to CIE would use 
Wind River's layered build sys- 
tem, the goal of a unified 
mobile Linux ecosystem had 
come closer to fruition. 

The CIE is intended to 
allow LiMo to easily manage 
components developed by 
members, and allow the easy 
exchange and update of com- 
ponents that will allow OEMs 
and operators to differentiate 
their handsets while remaining 
within the LiMo specification. 
It is also expected to reduce 
the time-to-market and 
improve the quality of mobile 
applications by reducing the 
time required for test and QA 
processes. I 



Mobile WiMAX Lights 
Up Fiist Testing Lab 



BY P.J. CONNOLLY 

Mobile WiMAX took a step 
closer to being reality with the 
announcement that formal cer- 
tification testing of devices had 
begun, with an estimated 300 
operators in more than 65 
countries currently engaged in 
Mobile WiMAX pilots and tri- 
als, says the WiMAX Forum. 

The lead certification lab, 
at AT4 Wireless in Spain, 
began accepting products 
using the 2.3 GHz and 2.5 
GHz bands last month, 
according to the WiMAX 
Forum, which expects certi- 
fied Mobile WiMAX products 
to reach the market later this 
year. Other certification labs 
in the United States, China, 
India, Korea and Taiwan are 
expected to come online this 
year to share the burden of 
validating product confor- 



mance and interoperability. 

"The beginning of Mobile 
WiMAX certification enables 
our member companies to 
deliver on their business com- 
mitments, and ultimately 
moves WiMAX service 
providers closer to bringing 
the mobile broadband Inter- 
net experience and new appli- 
cations to consumers around 
the globe," said WiMAX 
Forum president Ron Resnick, 
in a prepared statement. 

Mobile WiMAX follows the 
IEEE 802. 16e broadband 
wireless standard, with 
Orthogonal Frequency Divi- 
sion Multiple Access multi- 
plexing. The WiMAX Forum's 
certification programs are 
designed to indicate interop- 
erability among fixed as well as 
mobile broadband wireless 
products. I 




Hostopia CEO Colin Campbell, center, believes that wireless synchronization of PIM data is becoming the norm. 

Nexthaus Ships Beta 
Of iPhone Sync Client 

Wireless PIM sync enabled, claims company 



BY P.J. CONNOLLY 

Although an approved iPhone 
SDK isn't due from Apple for a 
few months, one company has 
already seized the initiative. 

Hostopia's Nexthaus unit, 
which specializes in mobile 
applications, announced on 
Dec. 26 the release of a beta ver- 
sion of its Syncje client software 
for the iPhone, joining Next- 
haus' clients for Blackberry, 
IBM Lotus Notes and Microsoft 
Outlook and Outlook Express. 

The Syncje clients work 
with any SyncML server and 



allow synchronization of PIM 
data over wireless connections, 
and the use of automatic syn- 
chronization schedules, claims 
the company. 

As Hostopia CEO Colin 
Campbell noted in a prepared 
statement, "[W]ireless syn- 
chronization of PIM data 
across multiple devices and 
platforms is becoming a stan- 
dard user expectation, not only 
for iPhone, but for all mobility 
devices." 

For now, the company 
admits that users are proceed- 



ing at their own risk when 
installing Syncje on iPhone, but 
that would be expected to 
change once Apple begins 
blessing third-party applications 
later this. A year of support is 
included in the US$39.99 price 
of Syncje for iPhone. 

Nexthaus' parent Hostopia 
is a provider of wholesale Web 
services, which are then resold 
by the company's customers to 
small- and medium-size busi- 
nesses. The Nexthaus unit spe- 
cializes in data and device syn- 
chronization. I 



AMCC, VIRTUTECH EXTEND 
SIMICS MODELING PACT 



BY P.J. CONNOLLY 

As the pressure to reduce 
time-to-market for networked 
devices continues, many sys- 
tems designers are requiring 
improved performance from 
their models. 

In attempting to address 
these needs, Applied Micro 
Circuits (AMCC) and Vir- 
tutech announced last month 
that they had agreed to expand 
their partnership and to pro- 
vide simulation tools for 



AMCC's forthcoming Power 
Architecture-based processors 
that are based on Virtutech's 
Simics simulation tools. 

"We are seeing a strong 
trend within our customer 
base towards a greater use of 
fast system simulation, driven 
by the increased complexity of 
their products and the need to 
isolate complete system-level 
data flows early in the design 
cycle," noted AMCC vice 
president of marketing Sam 



Fuller in a prepared state- 
ment. "Our customers also 
need to perform early analysis 
of their system performance, 
based on real network traffic, 
which can be achieved 
through the use of Virtutech's 
Simics," he added. 

Virtutech already provides 
models based on its Simics 
technology for the AMCC 
PowerPC 405 and 440 fami- 
lies. Under the new arrange- 
ment, AMCC will work with 
Virtutech to provide Simics 
models as early as possible in 
the development cycle, per- 
haps making them available 
even before the general 
release of new designs. I 
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3^^^ alk about insecurity. 

^F^fc SOA applications, 

■ more often than not, run 

^H r over a w ^ re ^ iat m iHi° ns °f 
^i^ people access every day 

They are likely to include ser- 
vices that originate outside compa- 
ny walls and, as a result, can't be 
completely reined in. 

To make matters worse, SOA 
apps are moving targets, made up 
of services that couple and decou- 
ple as needed, said Andrew Brown, 
director of product management 
for SOA governance tool maker 
AmberPoint. "How services are 
wired together today is not how 
they will be wired together tomor- 
row." That adds up to one thing, he 
said: "When you deploy SOA, you 
are deploying a new form of insecu- 
rity." 

SOA makes the security chal- 
lenge radically more complex, 
added Roger Thornton, co-founder 
and chief technology officer for 
application security tool maker 
Fortify. "When services connect, 
you have to ask: Are you really who 
you say you are? Is anyone eaves- 
dropping? Intercepting the mes- 
sage? Changing it?" 

Security outfits and other 
experts interviewed by SD Times 
said IT organizations should attack 
the SOA security problem on many 
fronts. They need to specify which 
components can talk to each other, 
at what times, and which rules 
(such as data encryption) govern 
that conversation. They also need 
to hold partners accountable for 
strong security measures and 
ensure the integrity of the code 
itself, subjecting it to simulated 
attacks and some source code 
analysis. Finally, architects and 
developers should design the SOA 
infrastructure and the services 
themselves with security in mind, 
keeping crucial data — such as cred- 
it card numbers — far from the vul- 
nerable front line. 

Here's a list of best practices for 
accomplishing those goals: 

Deal with identity manage- 
ment. Determine who is looking at 
what and what permissions have 
been applied, said Danny Allan, 
director of security research for 
security tool maker Watchfire, 
which IBM acquired in 2007. 



"That is front-of-mind for SOA 
security." The key is managing the 
identities of the services as well as 
those of individuals. IT organiza- 
tions are accustomed to authenti- 
cating and authorizing end users, 
but they are not as adept at apply- 
ing those policies to machine-to- 
machine communication, said 
Adam Michelson, technical archi- 
tect for Boston-based consultancy 
Optaros. "When you look at [a 
company's] LDAP directory, there 
is a long list of end users, and only 
one [listing] for business-to-busi- 
ness communication," he said, 
referring to Lightweight Directory 
Access Protocol, for querying and 
modifying directory services such 
as those used for authentication. 

SOA allows IT organizations to 
externalize identity management 
outside of the application, said 
ZapThink analyst Ron Schmelzer. 
That eases the problem, but it's 
not a one-size-fits-all solution, he 
noted. "You have to specify details 
for each user or service," he said, 
offering an example of an online 
merchant. "You can see this 
[inventory] data, but you can't get 
at the credit card authorization 
service." 

That is sometimes trickier than 
it sounds, added Dan Foody, a vice 
president for Progress Actional, 
which sells SOA governance tools 
and other offerings. For instance, a 
computer repair application needs 
access to a service that contains 
customer data to find out what 
equipment is installed at the cus- 
tomer site. "You want the reps that 
use the repair app to see the equip- 
ment list, but not the customer's 
credit or billing history," he said. 




"But if you're not careful, they can 
get at every piece of information 
about that customer." 

Tame the XML beast. SOA is 
based on Web services, which use 
XML to communicate, explained 
analyst Schmelzer. Because the 
markup language is 
text-based, the body 
of the message must 
be encrypted, he not- 
ed. Also presenting a 
challenge are XML in- 
jections, a variant of a 
SQL injection, where 
a hacker inserts a 
query into the code to 
call data that is meant 
to be off limits. "XML 
has to be parsed to 
make sure hackers Be careful what data is 
haven't injected mali- exposed, says Progress 
cious requests," he said. Actional's Dan Foody. 

Look out for 
denial-of- service attacks. Keep 
an eye on unusual traffic, said 
Michelson. "If you see 10 SOAP 
[digital] signatures come over the 
wire in a row, it's probably a denial- 
of-service attack." There's no need 
to monitor traffic by hand, he said. 
"You can audit services for [such 
attacks] by writing that into a poli- 
cy." A denial-of-service attack 
attempts to shut down an applica- 
tion by sending it more traffic than 
it can handle. 

Write the rules and apply 
them. Because SOA is based on a 
hub-and-spoke model of commu- 
nication, which relies on a central 
request broker, it is easy to apply 
rules pertaining to digital certifi- 
cates (which prove a person is who 
he says he is), encryption, digital 
signatures (evidence a message 



has not been tampered with), ser- 
vice levels and a host of other 
issues, Michelson said, "so do it." 
Others agreed. "Someone 
building a service and making it 
available to 18 different con- 
stituencies must understand how 
each will use my ser- 
vice," added Thorn- 
ton. "I have to deliver 
the right data at the 
right time, with the 
right service levels." 
This process of writ- 
ing rules and apply- 
ing them can become 
extremely complex, 
added Foody. "But if 
you keep it too sim- 
ple, you are losing 
the benefits of SOA," 
he said. 

Provide a library 
of reusable compo- 
nents. SOA is all about reuse. To 
promote efficiency, give service 
creators access to pre-certified 
components that ease the job of 
developing services and compos- 
ing an application, said Watchfire's 
Allan. This is particularly true for 
security services common to all 
SOA apps, he added. "Developers 
shouldn't [waste time] worrying 
about things like authorization 
and access control." Agreeing with 
Allan was Michael Sutton, security 
evangelist for application security 
tool maker SPI Dynamics, which 
was acquired by Hewlett-Packard 
in mid-2007. No one builds an 
application from scratch anymore, 
he claimed. "If you need a piece of 
functionality, someone has already 
produced it." 

continued on page 34 ► 



What to Watch Out for 



Authentication & Authorization. This is more difficult 
to implement in a service-oriented architecture 
because you have to authenticate and authorize ser- 
vices, not just individuals. 

Client-Side Attacks. Input validation or output encod- 
ing is a crucial issue to test for, especially when a SOA 
is consumed or mashed up using AJAX. 
Command Execution. Data that is accepted from the 
user needs to be appropriately validated before it is 
used within the applications. This is especially true 
when the application communicates with the file sys- 
tem, databases and directories. 
Information Disclosure. There are a number of issues 



that can lead to information disclosure when someone 
implements a SOA architecture. Probably the most 
common among them are "hidden" services published 
in a predictable resource location. 
Third-Party Resources. The advent of external 
resources being consumed within a mashed-up SOA 
service means that the application is dependent on the 
third-party resource (such as Google Maps). You have 
to make sure the resource maintains availability and 
has not been compromised (intentionally or uninten- 
tionally). These external resources should be continu- 
ously validated for integrity. 

Source: IBM Watchfire 
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< continued from page 33 

Design services with a clean sep- 
aration. The best architectural 
approach for SOA is triple-tiered, said 
Michelson: user interface on top, with 
services and data tiers below. "Don't 
allow an outside audience to link to the 
second or third tiers," he counseled. 
Sensitive services such as those that 
access customer credit card numbers 
belong in the third tier, far from the 
front line. 

Conduct source code analysis 
sparingly. Auditing source code for vul- 
nerabilities a hacker could exploit is nev- 
er a bad idea. "It's hard to argue against 
it," said Michelson, but it can eat up a lot 
of time and deliver only diminishing 
returns. One approach is to pick one ser- 
vice and look through its source code, he 
noted. Another, said Mandeep Khera, 
vice president of marketing for applica- 
tion security tool maker Cenzic, is to 
consider SOA projects in the context of 
the company's larger security priorities. 
"The enterprise has 100 applications," 
he explained, but only "two are SOA. 
Look at the big picture. Prioritize the 
top 10." 

Break your system before some- 
one else does. Conduct penetration 
testing on individual services as soon as 



they are created, looking for things such 
as whether user input is validated prop- 
erly, said Allan. "Then collectively test 
the entire SOA." Penetration testing 
pinpoints vulnerabilities by simulating 
hacker attacks. 

Increase security around transac- 
tions. Don't dump files with key cus- 
tomer data to an FTP server, said 
Michelson. That advice sounds obvious, 
but "boatloads of orders" are still han- 
dled that way, he said. "There's no secu- 
rity when you are doing it in batch. And 
[hackers] love finding an FTP server." 

Agree on core standards with 
business partners. A travel Web site 
sells airline tickets. Its partner sites 
rent cars. But how does a company 
manage user identities in a way that is 
meaningful to its partners, asked 
Schmelzer. "This is known as 'identity 
propagation,' where all participants 
know who the end user is." Standards 
such as WS-Federation and Liberty 
Alliance help manage this problem, he 
admitted. "But that doesn't mean 
everyone has implemented them," so 
it's imperative for all parties to meet 
face-to-face and agree on which stan- 
dard to implement. 

Keep partners accountable for 
the security of their services. How 
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With Doc-To-Help, you'll always remember your documentation. 



Doc-To-Help can help you and your team to automate documentation. A popular Help authoring 
tool for Microsoft Word and HTML, Doc-To-Help is the first of its kind to integrate with Microsoft 
Sandcastle for automatic .NET reference documentation. Doc-To-Help incorporates Sandcastle 
generated information into its projects so that you can insert MSDN-formatted reference 
documentation into your Help files. Use this information on its own or add it to narrative content 
for a complete user manual. 

• Author narrative in Microsoft Word or any HTML editor 

• Publish browser-based Help, Help 2.0, HTML Help and more 

• Publish printed manuals 

• Use Team Authoring Support for workgroups 

Doc-To-Help allows you to author content in Microsoft Word or any HTML editor and 
produce every popular Help output (including browser-based Help) or print-ready 
manuals. The full-featured Help authoring experience gives you all the tools you need 
to create documentation your users deserve and demand. 



do you know that a partner's service — a 
component in your company's SOA — is 
secure? "People tend to test their piece 
but not their neighbor's piece," said 
SPI's Sutton. There are a couple of 
solutions, said Watchfire's Allan: Ask 
for proof that the component has been 
tested for security and write it into a 
contractual agreement, or ask permis- 
sion to test the component yourself. 
"It's a warning sign if they say no." 

Keep on testing: SOAs are mov- 
ing targets. To ensure security, you 
have to audit on an ongoing basis, said 
Allan. "There are a dozen things that 
could go wrong." Is input validation 
working correctly? Is the system doing 
identity management correctly? "It's a 



mistake to test for all of the problems 
at once," he said. 

A key thing to check for is how 
the SOA is using third-party compo- 
nents, and whether those components 
are functioning properly, said Zap- 
Think's Schmelzer. "Take down one 
key service, [and] you can take down 
[the entire app]," he noted. "Can you 
imagine what would happen if Google 
Maps went down? How many applica- 
tions would I kill?" In the past, that 
would have been a problem for only 
Google, he noted, but with SOA, the 
impact is so much wider. "The greatest 
benefit of SOA — [the ability to share 
services] — is also the greatest problem 
of SOA." I 
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BY JENNIFER DEJONG 

It was a good idea: Get partners to 
process their own orders on the Web 
instead of doing the job for them. But 
when the small firm that provides ship- 
ping services for wineries embarked on 
its first SOA project, the application was 
nearly derailed by a serious security 
oversight. 

"A horrific vulnerability 
showed up in the first hour 
of testing," said Roger 
Thornton, co-founder and 
chief technology officer for 
application security tool 
maker Fortify. "Anyone 
connected to the system 
could change anything." 

The company, which 
Thornton did not name, did 
what many companies do: It 
took an existing call center 
application and "wrapped" it 
as a service. By SOA- 
enabling the application and 
making it available to its 
business-to-business cus- 
tomers — the wineries — the company 
sought to gain efficiencies. With its cus- 
tomers directly tied in, call center reps 
would no longer have to field orders that 
came in by fax and phone, typing in the 
who, what, when and where pertaining to 
wine shipments, said Thornton. "There 
were great business reasons to do [the 
project]." 

But in its enthusiasm, the company 
failed to think through a crucial security 
issue: Who gets access to what informa- 



tion, and what changes are they autho- 
rized to make? As a result, it inadver- 
tently authorized all of its customers to 
access and make changes to all account 
data on the system. In other words, they 
could view and update their own 
accounts, as well as those of all of the 
other customers. 

Thornton said the security night- 
mare was a carryover 
from the application's 
earlier incarnation, 
which allowed all call 
center reps to update 
all customer accounts. 
That level of access and 
authorization made 
sense for an application 
designed for internal 
use only, but not for 
one intended for out- 
siders, Thornton said. 
How did the company 
manage to overlook 
such a critical issue? 
"They implemented the 
application using the 
family of standards," 
"That gave them a false 
sense of security." 

WS-Security is important because it 
provides a standard way to implement 
security issues such as access control, 
authorization and encryption for Web 
services. But, of course, the standards 
don't specify who should get access and 
update privileges, said Thornton. "So 
people think: Tf I implement WS-Secu- 
rity, my system is secure.' " I 






Be careful of the potential 
loopholes a standard can make, 
says Fortify's Roger Thornton. 
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FROM THE EDITORS 

A Virtual Blunder 

One or more employees of Microsoft have demonstrated that the 
mainstreaming of virtualization will not be without its hiccups, and 
that at worst, the company's much-hailed security culture has yet to be 
fully digested. 

Virtualization affords Microsoft the ability to deliver a consistent expe- 
rience to its customers. Customers evaluate software in a preconfigured 
environment in which the company doubtlessly invested its time. What 
scares us is that it seems Microsoft doesn't understand how to do this 
securely, having shipped a virtual hard disk of evaluation software that 
included previously deleted files. 

Voke analyst and founder Theresa Lanowitz was correct to call 
Microsoft out: It should have known better. Virtual machines are a new 
paradigm for software distribution, but the company's bread-and-butter 
is just that: software distribution. 

What other company would have the incentive to perfect its QC best 
practices if not Microsoft, given its dismal history of selling nearly negli- 
gently insecure software? 

Shipping a VHD of a system is tantamount to sharing that particular 
system with others. In the physical world, the machine would have been 
locked down and its free space wiped before the system was imaged. 
There appears to be no malicious plot this time, merely the familiar pic- 
ture of an incomplete quality control process at the world's largest soft- 
ware company. 

The technology of software virtualization is being exploited in new 
ways, and Microsoft's QC failure should be a lesson to all: Principles of 
management and security must also apply to virtualized software distri- 
butions. It is doubtful that the company would ship an entire copy of 
Windows on a CD containing demo software. Its partial inclusion in the 
Internet Explorer VHD file was sloppy, and inconsistent with its treat- 
ment of its shrink-wrapped products. 

For the sake of fairness, it should be noted that Microsoft has taken 
remarkable steps to weave security into its software development life 
cycle. 

It has made a substantial investment in its resources, and management 
has signed on completely. It is producing more secure software and has 
greatly improved its patching process, but it forgot to apply those hard- 
learned lessons to virtualization. 

Microsoft, and other vendors that distribute or intend to distribute 
software using virtual machines, need to establish best practices before 
disc images are built, and then adhere to those practices. 

There's no better way to retard the adoption of a perfectly good tech- 
nology such as virtualization than to mishandle it the same way as the 
Microsoftie who built the IE8 demo. 

Blind Leading the Sighted 

The old adage "the blind leading the blind" is quite apt for some 
waterfall processes. But when it comes to accessibility testing, the 
cliche should read "the blind leading the sighted." There's simply no 
substitute for end-user testing when building applications and Web sites 
for use by the disabled. 

But one problem remains: How does one simulate a disability in the 
absence of someone with the specific condition? Every possibility we 
devised came off as insensitive at best. 

Perhaps there's no politically correct solution, which may mean that an 
ultra-specialized market for QA testers will open up, and if it gives 
some people an unexpected chance to contribute, that's all the better. 

Nevertheless, the handwriting is on the wall: In a world where some 
lawyers have made careers out of suing businesses for not properly 
accommodating the disabled, it's only a matter of time before a company 
is sued because its Web site communicated too much of its information 
via streaming video or other visual display types. I 
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CONFESSION TIME: I'm not a pro 

grammer. But despite this, I feel that I'm 
able to comprehend many of the deeper 
development topics and issues even if I 
can't write a decent While/For loop. But 
this is why I can sympathize with many of 
the QA engineers that are finding them- 
selves pushed out the door in favor of 
testers with coding 
experience. When 
you get right down 
to it, your best 
possible tester is 
someone with 
extensive software 
experience but little 
actual experience programming. Why? 
Because people like me are closer to the 
end user's level of understanding than 
programmers are. It's the same reason 
that people who do special effects for 
movies can't watch films without cring- 
ing and complaining about bad effects: 
When you've been under the covers, the 
nicely made bed isn't nearly as appealing. 
So before you go firing all of your testers 
that can't read binary, just remember 
that the ability to properly write up a bug 
is far more important than the ability to 
suss out what's programmatically going 
wrong behind those windows. Besides, a 
lazy coder given a testing chore will 
always write up a script to do the deed, 
while a noncoding tester doesn't have 
that option. 

— Alex Handy 

IT'S ONE THING TO SCOUR your own 
apps for security defects before they go 
live — you can fix anything you find in 
coding and QA. But what happens when 
you subject production applications — 
including commercial software your 
company paid serious money for — to the 
same set of tests? This issue is likely to 



come up now that tool makers including 
Cenzic and Fortify have begun selling 
software that looks for holes that hackers 
could exploit in production applications, 
not just those still under development. I 
asked Cenzic vice president Mandeep 
Khera how this problem is likely to 
shake out, and he said two things: IT 
professionals will put pressure on ven- 
dors to fix the security flaws, while also 
protecting production applications by 
turning off the features found vulnera- 
ble to attack. It will be interesting to 
watch this unfold. 

— Jennifer dejong 

MICROSOFT'S PENCHANT for ship 
ping unrefined products has expanded 
and metastasized into its greeting cards, 
it seems, after a card sent on behalf of 
Microsoft proved defective. The card 
was adorned with a wintry scene over- 
laid with cutouts of abstract trees; one 
of the trees 
had fallen off 
the card. SD 
Times could 
not determine 
the origin of 
the tree's dis- 
location from the card, but on appear- 
ance, it looked as if Microsoft had 
attempted to patch the card with tape 
and glue. A Microsoft spokesperson was 
not available by press time to confirm 
that the patch had failed, or whether it 
was a last- minute hotfix. 

— David Worthington 

CORRECTION 

In the Dec. 15 edition of SD Times, the 
version of iTKO LISA that introduced 
the LISA Virtual Service Environment 
was incorrectly stated. That feature was 
first available in version 4.0. 
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New Technologies Gaining 

Developers using agile programming 
techniques, writing multithreaded 
applications or using scripting lan- 
guages can now call themselves in the 
majority, according to a recent report 
by Evans Data. The North American 
Development Survey, conducted in 
November 2007, found that 56 percent 
of developers have taken up scripting 
languages to some degree, although 
less than half of respondents use 
scripting languages more than 20 per- 
cent of the time. 

The survey also found that 54 per- 
cent of developers write multithreaded 
applications, which will be valuable 
experience as more hardware is based 
on multicore processors. For now, the 
survey found that a lack of tools and 
the complexity of parallel programming 
are the chief challenges in this area. 
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The Horizontal Tool Integration Imperative 



While vertical tool integration might be 
good for vendors — stickiness equals 
revenue, equals lock-in, equals more rev- 
enue — consequences for customers aren't 
all that positive. What are we solving for: 
vendor profitability or better software, 
faster and cheaper? Certainly vertical inte- 
gration means at least some tools might 
work together, in some form or fashion, 
but no one has cornered the 
market on brain cells in todays 
world, which is why a diverse 
portfolio of tools and applica- 
tions will always be necessary. 

Baby steps get you nowhere. 
Its time to start thinking about 
how to deliver step-function 
improvements in quality — and 
this will require horizontal inte- 
gration, or tools that talk to tools 
across vendor boundaries — i.e., 
time to play nice together. Expose those 
APIs and internal data formats. Add capa- 
bilities for data export and import. 

I recently looked across our own devel- 
opment environment and was shocked to 
see what a significant contribution we are 
making to Intel and AMD's top-line 
growth, not to mention global warming. 
We have a somewhat standard continuous 
integration environment that compiles 
code every five minutes if changes in our 
source code management system have 
been detected, integrates nightly, runs 
regression tests and a bunch of the other 
well-known tools. 

The hitch is that most of these tools 
spend most of their time doing the same 
things: a compiler (parses source, builds 
an abstract syntax tree [AST]...), PMD 
for static analysis (parses source, builds an 
AST..), FindBugs for static analysis (pars- 
es byte code, builds an internal struc- 
ture. . .), Dependency Finder for interde- 
pendency mapping (parses byte code, 
builds an internal structure...), Ounce 
Labs for source code security (parses 
source, produces internal representa- 
tion...), SWaudit for continuous software 
quality audits (parses source, produces 
internal representation...), EMMA for 
line coverage (instruments bytecode...), 
Cobertura for branch coverage (instru- 
ments byte code...), Infrared for perfor- 
mance profiling (instruments byte 
code. ..)... well, you get the picture. 

STREAMLINING THE PROCESS 

So let's think about how to streamline 
this. Parse source once, create an "open- 
ly available and published abstract syn- 
tax tree" once, analyze many. Parse byte 
code, create an "openly available and 
published internal structure" once, ana- 
lyze many. Instrument for all data that 
can be collected at the same time via an 
"openly available and published" instru- 
mentation framework, collect as much 
as possible in a single run, then repeat as 
appropriate (e.g., for performance pro- 




filing, footprint analysis, etc.). 

Not only would this lower the eletric 
and HVAC bill, but it would also free up a 
cadre of really smart developers who 
could be working on the next big thing 
instead of writing or retrofitting yet anoth- 
er parser. 

Eclipse is actually a wonderful, albeit 
isolated, example of how sharing can move 
an industry forward. By open- 
ing the IDE and its APIs, 
among other things, third-par- 
ty providers no longer need to 
roll their own source code 
viewers, and results of static 
analysis can be made available 
in a manner in which they are 
immediately actionable. Also, 
developers need not learn 
multiple tools, which essen- 
tially do the same thing. 
Other industries have done a much 
better job architecting engineering 
processes that ultimately deliver quality 
products in a timely fashion, delight cus- 
tomers and deliver shareholder value. In 
automotive engineering, the move from 
design into engineering (including third- 
party supplier data), analysis (structural, 
thermal, electrical and thermoplastics) 
and simulation (crash testing, wind tun- 
nel, emissions and fuel consumption), on 
through manufacturing, is — almost — 
seamless from a data model sharing per- 
spective. We couldn't build the vehicles 
we do without this type of integration. 

Of course, when it comes to embedded 
software in automotive production, manu- 
facturers struggle with the same issues as 
the rest of the industry, with software 
defects representing one-third of all war- 
ranty issues, a fraction that is on the rise. 

So, if we think about architecting a 
development and test infrastructure 
from the ground up, it looks a lot differ- 
ent than the ones we knit together today. 
Today's product-centric — instead of cus- 
tomer-centric — development leads to 
tool fragmentation in the market and 
increased pain for the user, undoubtedly 
a key driver for shelfware. 

With a tabula rasa approach to archi- 
tecting infrastructure, not only could we 
solve today's tool fragmentation issues, 
but we could also realize the concept of 
automated tool flow, whereby the output 
of one tool becomes the input of the next. 
We could take a look at who does what, 
how and when they do it in the context of 
globally distributed development and 
quality assurance teams with nontrivial 
supplier relationships (the open source 
community, outsourced relationships, 
third-party development and verification 
and validation teams, as well as software 
certification providers). 

We would actually look at an integrat- 
ed development, quality assurance, pro- 
ject management, governance and soft- 
ware-sustaining schema across the 



software development life cycle and opti- 
mize for all parties involved in the 
process. This holistic view, where suppli- 
ers know the desired outputs of the ulti- 
mate customer, and design process inputs 
accordingly, would drive infrastructure to 
be built very differently — architecting not 
for a product, not even for integration, but 
for customer value with integrated tool 
flow as the natural byproduct of such an 
approach. Yes, this is a business process 
management and optimization approach 
to software development. After all, isn't 
software development a critical enabler to 
business success and hopefully also a 
competitive differentiator when it comes 
to delivering shareholder value? 

MORE WAYS TO MEASURE PROCESS 

Such a holistic approach would open up 
all kinds of possibilities too when it comes 
to measuring the process, whether it be 
understanding potential failure modes 
(what can and will go wrong), completing 
project risk assessments (to improved 
software project predictability and identi- 
fy systemic issues), pinpointing quality 
issues including those caused by design 
debt and design marginality (that needs to 
be dealt with now or later), characterizing 
the process across individual or aggregat- 
ed iterations of the software development 
life cycle (in the interest of continuous 
process optimization) and continuously 
assessing software readiness (including 
readiness for QA test, system integration 
and field deployment). 

Interfaces, APIs and data models that 
can be logically standardized should be, 
such as AST, byte code internal formats, 
APIs for accessing both, as well as build 
conventions. 

Developers, QA and management 
would be the initial beneficiaries with 
code intelligence served up on a single 
silver platter — but only if we can make 
tools work together. I'm not proposing 
that this all happen overnight, but from a 
process architecture perspective, this is 
not rocket science either. The crux of the 
matter is that we need to think horizontal 
integration and tool flow 

If our tools remain siloed and work in 
isolation, their value is limited. But if we 
enable process integration across the soft- 
ware development life cycle, we can 
achieve significant improvements in effi- 
ciency, effectiveness and quality. And, by 
reducing redundant development, we can 
also accelerate innovation and actually 
remove the invisible handcuffs that keep 
us from truly realizing the ever-present 
"do more with less" goal. Ultimately the 
big winners are customers who benefit 
from higher-quality and richer-functioning 
software, delivered more predictably. I 

Susan Kunz is president and co-founder of 
Solidware Technologies; before that, she 
worked at Sun Microsystems. 
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Crushed by Technical Debt? 



Pay off your credit cards every 
month; it's the single best practice 
in personal finance. Learning this the 
hard way is tough — paying off interest 
and only nibbling away at the principal 
is a brutal experience. Paying off tech- 
nical debt can be equally soul-crush- 
ing. 

The phrase "technical debt" was 
introduced by Ward Cunningham in the 
early 1990s to specifically refer to the 
work that remains after shipping code: 
that which works but is not quite right 
(the hard-coded tax rate, the function 
named proccssjj, the fields that are 
always null). Today, with the much 
shorter release cycles of the Web-driven 
world and refactoring IDEs, it makes 
more sense to think of technical debt as 
accumulating every time you ignore a 
"code smell," and rather than spending 
whatever seconds or minutes necessary 
to refactor it away, you decide to live 
with it. 

As with fiscal debt, the problem 
with technical debt is not its existence 
or even its instantaneous magnitude. 
The problem is the interest. If you 
have code that is harder to understand 



than it could be, you pay the interest in 
slower maintenance and evolution. If 
you have code that is not robust against 
reasonably common environmental 
issues (errors in input format, network 
and database timeouts, large data sets, 
etc.), you pay the interest in error 
analysis and program monitoring 
(when you hear the phrases 
"let me check the logs" or 
"let me watch the run," 
you've got an interest pay- 
ment at hand). 

The other day I had a 
prime example: I needed to I 
decouple the concept of a 
"monthly schedule" from the 
concept of a month starting 
on the 1st (and, just to make 
it interesting, "in leap years, 
our January schedule ends on the 30th 
and our February schedule starts on 
January 31."). The change to the core 
data structure went well enough, but 
the UI has lots of calendars and I 
needed to touch quite a few pages. 
One in particular I opened up, 
Ctl-F'ed my way to the title that I saw 
in the browser, made the appropriate 
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modifications, and brought it up in a 
new browser window. No change in 
appearance. Hmm... It "only" took me 
several minutes to realize that the page 
had two execution paths invoking mas- 
sive amounts of cut-and-paste HTML 
and that I had modified only one of the 
two paths. 

Now I faced the same 
choice the client had. It 
would have been fast for me 
to add my modifications on 
either side of the "if-then." 
The result would have been 
slightly harder to maintain 
I and slightly harder to refac- 
^ff tor with confidence. Just as 

with monetary debt, techni- 
cal debt compounds over 
time. Since this was for a 
client who pays on an hourly basis, the 
Web developer's decision to save his 
employer a few minutes of time ended 
up costing his employer quite a few 
dollars. 

Technical debt can ruin even the 
most talented teams. The same smart, 
capable developers who brought forth 
fabulous version X can suddenly appear 
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to be absolutely ineffective because 
they are spending all of their time pay- 
ing off their debt. And, of course, the 
time until the next release is shrinking, 
making additional technical debt all the 
more likely. 

There's no doubt that incurring 
technical debt can be a valid business 
decision, particularly when winning a 
client or prototyping. However, there's 
also no doubt that if the habit becomes 
ingrained, serious trouble is inevitable, 
both for the company and for individ- 
ual technical managers. In my experi- 
ence, selling "for the next several 
months, our effective productivity is 
going to drop by three-fourths" to 
executive management is one of the 
nastiest minefields in software devel- 
opment. Sadly, it's not uncommon to 
find teams that descend into the creep- 
ing poverty of technical debt rather 
than make the painful sacrifices neces- 
sary to regain full productivity. Don't 
let your team be one of those. Have 
your team pay their technical debts 
promptly and conscientiously. Once 
the proper habits are formed, staying 
ahead is easy. I 

Larry O'Brien is a technology consul- 
tant, analyst and writer. Read his hlog at 
www. knowing, net. 



Patterns as an Anti-Pattern? 



For reasons that elude me, the 
arrival of the book "Design Pat- 
terns" in 1995 created enormous inter- 
est in the programming industry. The 
book, now known affectionately as the 
Gang of Four (or GoF) book due to its 
having four authors, posited a notion 
that did not seem radical, but which 
impressed a lot of people — namely, 
that there were recurring types of pro- 
gramming problems that could be 
addressed using a systematic sequence 
of steps. 

That sequence of remedial activities 
was spelled out by the GoF, and these 
recipes — or patterns — became the 
object of considerable study. Expo- 
nents, such as former SD Times 
columnist Allen Holub, went on to say 
that all 23 GoF patterns should be 
learned, memorized and used by devel- 
opers. The goal was that at various 
points in programs you could refer to 
the pattern and later developers would 
know from the name what the code did 
and how. So, for example, if you 
described a class as a Fagade, everyone 
would know that class was a front end 
to some other subsystem. 

I like this vision. In pure program- 
ming terms, the closest equivalent is 
collections. When I say that something 
is implemented as a hash table, you 
nod knowingly and you don't need to 
check out the details of how data items 
are stored. Unfortunately, the patterns 



presented by the GoF never obtained 
the universal implementation that was 
required for this vision to succeed. 

Moreover, it turns out the patterns 
had numerous aspects that are ques- 
tionable or not terribly helpful. Yet the 
static perception of their enduring val- 
ue continues on. 

First, let's clarify that 
what we are talking about 
are not really design pat- 
terns. They are better 
described as implementation 
patterns. They are code-level 
solutions that help you 
implement a specific action. 
They are not the domain of 
architects and designers, but 
rather recipes for coders 
who implement designs. 
GoF patterns are much closer to the 
concept of refactoring and coding 
shortcuts than they are to techniques 
an architect would use in designing a 
project. 

One problem is that some patterns 
are so obvious as to make you wonder 
why they would be singled out as an 
item of interest: for example, the 
Fagade pattern. This pattern basically 
suggests that when you have to deal 
with a subsystem that has a complex 
programming interface, you write a 
code layer that simplifies your interac- 
tion with that system. You then make 
calls to your interface, which translates 
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the calls into the complex calls to the 
subsystem. That is, it's syntactic sugar. 
As you can imagine, there is no specif- 
ic recipe for doing this — the variations 
are almost infinite, so it's hard to see 
how it's a pattern at all. 

The one benefit I detect here is one 
of nomenclature. I can say to someone 
I will write a Fagade for this 
subsystem, and they know 
what I mean. 

Another problem is that 
some GoF patterns that 
were fairly original have 
proven to be poor recom- 
mendations in practice: for 
example, the Singleton. 
The Singleton is a way to 
jimmy language syntax so 
UjJiliUjd that it's impossible to create 
more than one instance of a specific 
class. 

Over the years, however, it has 
become increasingly clear that Single- 
tons have very serious drawbacks that 
often outweigh the benefit of being 
assured there's only one instance. Sin- 
gletons fly in the face of object orienta- 
tion and force intricate dependencies, 
which become an enormous obstacle in 
testing, especially unit testing. And 
since developers generally prefer the 
benefits of good unit testing to the syn- 
tactical assuredness of a single 
instance, many are opting to remove 
Singletons and replace them with nor- 



mal objects. These developers simply 
make sure that the object is created 
just once in the production code. 

Other patterns are complex enough 
that they are the subjects of partial 
implementations. These include the 
Factory and Abstract Factory patterns, 
which can require features that are not 
needed. 

Finally, there is the Interpreter pat- 
tern, which says that if you need to 
embed a small language in your soft- 
ware, follow basic rules to build an 
interpreter. The trouble is that as the 
pattern lies, the interpreter model that 
is proposed could only be used for a 
trivial language. As the GoF points out, 
for anything more, you need to use 
compiler building tools. So, why the 
pattern? 

I should note that many of the 
remaining patterns are useful and fre- 
quently used. However, the prevailing 
view that the GoF is the defining treat- 
ment of patterns seriously undercuts 
the value of patterns in general. 

Patterns should evolve over time. 
There should be new ones added, oth- 
ers dropped, and in all cases thorough 
testing done before wide promulgation 
so that what the patterns recommend is 
truly useful. 

When that happens, I believe, we 
will be able to use, depend on and 
communicate through patterns in ways 
that are truly useful. I 

Andrew Binstock is the principal analyst 
at Pacific Data Works. Read his hlog at 
binstock. hlogspot. com. 
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Have You Made Your Service-Oriented Resolutions? 



s the calendar turns to 2008, this is 
La good time to make some New 
Year's resolutions around the creation of 
your SOA, and getting your applications, 
and enterprise, into a more agile state. 
Here are some to consider: 

1. Create a core SOA strategy for 
the enterprise. While many strategies 
end up without sponsors or execution, a 
quick and dirty written- down strategy 
will provide a base of understanding for 
the enterprise that this is, indeed, the 
correct direction and provide an 
approach for moving forward. From 
here you can create a plan and request 
resources. A strategy is a great place to 
start. 

2. Obtain some SOA training. 
SOA is a funny thing. Everyone thinks 
they understand it, but during execu- 
tion many projects fail due to lack of 
knowledge. Now is a good time to take 
some SOA training, and I'm not talking 
about some Webinar. I'm talking about 
a multiday class where you work and 
share information with others. 

This will reap many benefits such as 
avoiding core mistakes and doing it 
right the first time. However, there is 
good training and bad training out 
there... make sure to check the refer- 
ences of the training provider. You 
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want to take a course from a practition- 
er, not a professional teacher; there is a 
difference. 

3. Review core life cycle proce- 
dures and update for SOA. Most 
enterprises have software development 
life cycle procedures set in stone and fol- 
low them religiously. However, SOA is a 
bit different than "traditional" design, 
development, testing and deployment, 
so now is a good time to 
update those procedures to 
support SOA. 

This means dealing with 
applications as collections of 
services, not a monolithic 
application, and that's a very 
different way of going about 
software development. Also, 
revisit resolution No. 2. 
Retraining would be good 
here as well. 

4. Create a SOA ROI. Once you 
go into your boss' office to ask for the 
million or so bucks you need to com- 
plete your SOA, he or she is going to 
ask the burning question: What's in this 
for the business? You'll need a 
response to that, and it's ROI. 

Figuring out the ROI for your 
enterprise is more art than science, 
however; in essence, it's to understand 




the existing inefficiencies, put a cost to 
those inefficiencies, and then deter- 
mine how much savings will come from 
the use of a SOA. 

For the most part, SOAs are all 
about adding value by making the 
architecture more changeable or agile. 
Thus, the more changeable your orga- 
nization, the more ROI SOA will bring. 
However, your mileage may vary a lot, 
so make sure you create an 
ROI model that reflects 
your current business. I've 
done dozens of these, and 
they are all different. 

5. Get help. One of the 
things I'm finding is that 
SOA is being driven by IT 
leaders within the enter- 
prise, and many times the 
last thing they want is peo- 
ple smarter than them 
around. It's called job protection, and 
it's silly and counterproductive. 

SOA is complex, difficult and takes 
a long time. Moreover, it's a bet-the- 
business kind of project, and you can't 
fool around with a trial and error 
process as you did with that data ware- 
house or ERP implementation you did. 
It's architecture, it's systemic, and it's 
important. Thus, at the very least, get 



some mentoring assistance — somebody 
who can look over your shoulder and 
make sure you're not making critical 
mistakes. I'm not talking about consul- 
tants to do your work, but somebody to 
validate your work and teach you. 

6. Create a SOA study strategy. 
There is a lot out there on SOA: blogs, 
podcasts, columns, books and a few 
conferences as well. So, which infor- 
mation do you ignore, and which do 
you absorb? Now is a good time to look 
at the resources out there, and create a 
"My SOA" page that includes blogs, 
columns, podcasts and other media 
feeds that you find helpful. 

This will both help you learn and 
stay current with the technology 
trends. However, make sure you don't 
become one of those guys who "man- 
age by magazine." Those are mere data 
points, and not a strategy specific to 
you. 

So, will 2008 be the year of SOA? 
No, it will be 2008-2015, if you ask me. 
SOA is a journey, not a project, and 
there is so much to get done that most 
of you are feeling a bit overwhelmed. 
My best advice is to get started; if 2007 
slipped away without progress on your 
SOA, then this is a great time to make 
some 2008 SOA resolutions. I 

David S. Linthicum is a managing part- 
ner at ZapThink. Reach him at 
david@zapthink. com. 
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People use the act of turning the page 
to a new year to make life-altering res- 
olutions. No small stuff here, like vowing 
to be nicer to other people. These start- 
the-year-off-right promises to one's self 
often shoot for the moon: I will quit smok- 
ing. I will lose weight. I will free myself of 
all the things that bring me down. 

Practitioners of software develop- 
ment, and the purveyors of 
tools intended to ease that 
task, should look in the mirror 
to see how they can change 
their lives in the year ahead. 
Of course, this type of intro- 
spection often is difficult. 
People lack the time, or the 
honesty to themselves, to 
accurately assess where they 
need to improve. So, in the 
holiday spirit of giving, I have 
prepared a short list for development 
managers that can serve as a jumping-off 
point for resolutions of their own. 

Resolve not to cave in to pressure 
to adopt new techniques or practices 
if they don't feel right for your orga- 
nization. There has been a lot of talk in 
recent years about service-oriented archi- 
tecture, agile development practices and 
application life cycle management, among 
other topics, examining how they can sim- 
plify development and integration in a 
Web services world. Corporate suits read 
about one or more of these, then insist 
they get implemented in-house ASAP. 

But if your shop is running well, with 
applications getting out the door in a time- 
ly manner with minimal errors, there 
might not be a need to change what you're 
doing. Let's not forget that many, many 
successful pieces of software have been 
rolled out under the waterfall method of 



development. Let's not forget that Web 
services are still in their infancy; that the 
standards for security, transactions and 
reliability are new. Also, let's not forget 
that implementing a service-oriented 
architecture is enormously complex and 
will affect your entire software portfolio. 

These new technologies can be tough 
to begin using. There will be cultural bar- 
riers, technology barriers and 
educational barriers standing 
in the way of success. So be 
resolute. Stay strong. Just say 
"no" to SO A, ALM and agile if 
they're just not applicable to 
your organization at this point 
in time. 

At the same time, resolve 
to attend a conference this 
year. Our industry is moving; 
^^-W* at a breakneck pace; lan- 
guages, roles, technologies and method- 
ologies that have been accepted for years 
are coming under scrutiny like never 
before. Folks are talking about uses for 
dynamic languages that heretofore were 
never considered. Agile, as noted in the 
second part of a three-part series now 
running in this newspaper, has changed 
the way people interact within a software 
group. While the same ol', same ol' 
might be fine for your organization for 
now, you owe it to yourself — and your 
company — to stay on top of these evolu- 
tionary changes. Only at an industry con- 
ference can you get face time with peers 
facing the same hurdles and challenges 
you are, and with experts who can help 
you get past those obstacles. You need to 
explain to your boss that this is money 
well spent, and that time out of the 
office, to dive into the subject that's been 
vexing your teams, is the best way to 



keep things moving forward and for- 
ward-looking. 

Resolve to avoid undertaking 
impossible projects that are doomed 
to fail before they begin. This can be 
a tough one, as the residents of the nose- 
bleed floors of your building will set 
ridiculous deadlines and seriously under- 
fund or understaff the project. It is your 
job to explain in the most effective way 
possible why the new inventory-tracking 
software can't be rolled out in two weeks 
using one guy who's also rearchitecting 
the Web site, which the suits said they 
needed last week. It's not easy to tell the 
boss upfront that his expectations are not 
realistic, but it'll be better nonetheless 
than watching the deadlines come and go 
with the answer, "I told you it wasn't 
doable." That'll just anger the powers 
that be. 

Finally, resolve to make your team 
better this year. This is what really sep- 
arates good managers from the rest. You 
have talented people working for you, 
and some that are less so. Put the strong 
people in the best position to help the 
project succeed; work with the weaker 
links on training, education and whatev- 
er it takes to get them up to speed. Per- 
haps you'll want to pair them up with the 
strong developers, to get a hands-on 
experience that will improve their skills. 
Success under these conditions will go a 
long way to fight burnout, resentment 
and the other ugly behaviors that can 
undermine your team. Make people feel 
like they have value, and that they are 
appreciated, and the results will exceed 
those in an environment where the 
weaker developers are marginalized, and 
the strong ones are loaded up like pack 
mules and ridden harder than Alydar 
during a stretch run against Affirmed. I 
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The market for Linux products and services will grow from US$2.4 
billion in 2007 to $7.7 billion in 2012, according to a recent report 
by Ireland-based Research and Markets, but growth will slow from 
36 percent this year to 17 percent in 2012. Because much of the 
software for Linux is given away freely, revenues for services will 
dramatically outpace revenues for software. It is expected that ser- 
vices will account for 81 percent of the Linux market by 2012. Also, 
the study found that Linux for the desktop will make inroads over 
the next few years. Currently, the server market accounts for 83 
percent of Linux use, but that will slip to 81 percent in 2012, as 
client-side Linux grows . . . Customer satisfaction with online retail 
during the 2007 holiday season fell from a year earlier, according 
to the Foresee Results Top 40 Online Retail Satisfaction Index. 
Online sales rose at their slowest pace since their measurement 
began, and aggregate satisfaction with the leading online retailers 
scored 74 on a 100-point scale, losing 1.3 percent from a year ago. 
"Online shopping is still the bright spot for holiday retailers, but 
lower satisfaction coupled with slower than expected spending 
growth puts a little cloud over the season," Larry Freed, president 
and CEO of Foresee Results, said in a statement. J1 ln an economy 
where consumers are feeling the pinch, there's increased competi- 



tion for the customer's dollar. So, it's even more important for 
e-retailers to meet their customers' needs online." Last year's top- 
rated Web sites again led the way, with Netflix (86), Amazon (82), 
L.L. Bean (80) and QVC (80) posting the highest scores. The most 
improved Web sites from last year include Costco (up 4.3 percent 
to 72), Zappos (up 4 percent to 78) and Avon (up 3.9 percent to 
79). Overall, 10 sites have increased customer satisfaction from 
last year, while 18 sites saw their scores slip. 

EARNINGS: TIBCO Software reported fourth-quarter revenue of 
US$186.1 million and net income of $27.6 million, or 14 cents per 
diluted share, for the period ending Nov. 30, 2007. License revenue 
was $99.6 million, 13 percent ahead of the prior year's period, and 
the company closed a record 139 deals for more than $100,000. 
"We finished with a strong Q4 ending the year with double-digit 
growth," TIBCO chairman and CEO Vivek Ranadive said in a state- 
ment . . . Oracle has announced that its second-quarter fiscal 
2008 GAAP net income was US$1.3 billion, 35 percent ahead of 
the same period last year, and total GAAP revenues were up 28 
percent to $5.3 billion. Revenue from software was $4.2 billion, 
with new software license revenues up to $1.7 billion. I 



EVENTS CALENDAR 



Southern California 
Linux Expo 

Los Angeles 
SCALE INC. 

www.socallinuxexpo.org 



Feb. 8-10 



Game Developers 
Conference 

San Francisco 
CMP MEDIA 

www.gdconf.com 



Feb. 18-22 



FutureTest 2008 

New York 
BZ MEDIA 

www.futuretest.net 



Feb. 26-27 



Emerging Technology 
Conference 

San Diego 
O'REILLY MEDIA 

conferences.oreillynet.com/etech 



March 3-6 



MIX 2008 

Las Vegas 
MICROSOFT 

www.visitmix.com/2008 



March 5-7 



BrainShare 

Salt Lake City 
NOVELL 

www.novell.com/brainshare 



March 16-21 



EclipseCon 2008 

Santa Clara 
ECLIPSE FOUNDATION 

www.eclipsecon.org/2008 



March 17-20 



Secure 
Development World 

Alexandria, Va. 
SDW 

www.securedevelopmentworld.com 



March 25-26 



SLAM (Sales, April 3-4 

Licensing, Alliances & Marketing) 

Burlingame, Calif. 
SOFTWARE BUSINESS 

www.slamconference.com 



Developer Relations 
Conference 

Redwood City, Calif. 
EVANS DATA 

www.evansdata.com/drc 



April 7-8 



RSA Conference 

San Francisco 
RSA 

www.rsaconference.com/2008/US 



April 7-11 



MySQL Conference & Expo April 14-17 

Santa Clara 
MYSQL 

en.oreilly.com/mysql2008 



Embedded Systems 
Conference 

San Jose 
CMP MEDIA 

www.embedded.com/esc/sv 



April 14-18 



Software Test & 
Performance Conference 

San Mateo, Calif. 
BZ MEDIA 

www.stpcon.com 



April 15-17 



Software 2008 

Las Vegas 
CMP MEDIA 

www.software2008.com 



April 29-30 



For a more complete calendar of U.S. software 
development events, see www.bzmedia.com/calendar. 
Information is subject to change. Send news about 
upcoming events to events@bzmedia.com. 
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SICK AND TIRED 



OF MANUAL TESTING? 
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